feat: configurable open-access mode for IdP auth when role mappings are not enforced

[coopernetes]

Background

Role mappings are now deny-by-default: when auth.role-mappings is configured, only users whose IdP groups match a mapping are granted access. This is the correct behaviour for regulated environments.

However, some operators may run in environments where the IdP acts purely as an authentication mechanism (SSO convenience) rather than an authorisation gate — i.e. any valid corporate credential should be allowed in, and roles are assigned separately or not at all.

Proposed change

Add a boolean config field, e.g.:

auth:
  require-role-mapping: true   # default — deny if no group matches a mapping

When set to false, the old behaviour is restored: any user who authenticates successfully against the IdP is granted ROLE_USER, and role mappings (if present) only add additional roles on top.

Implementation sketch

• Add requireRoleMapping (default true) to AuthConfig
• In mapIdpGroupsToRoles and buildOidcUserService: when requireRoleMapping is false, fall back to granting ROLE_USER unconditionally instead of throwing
• Document in CONFIGURATION.md

Notes

• Default must remain true (deny-by-default) to preserve the regulatory posture
• The flag is a no-op when role-mappings is empty, since open mode is already the behaviour in that case