Add OIDC fixes, add prefered_username, add application-user claims

db/migrate/20251122235519_add_sid_to_oidc_user_consent.rb

@@ -0,0 +1,15 @@
+class AddSidToOidcUserConsent < ActiveRecord::Migration[8.1]
+  def change
+    add_column :oidc_user_consents, :sid, :string
+    add_index :oidc_user_consents, :sid
+
+    # Generate UUIDs for existing consent records
+    reversible do |dir|
+      dir.up do
+        OidcUserConsent.where(sid: nil).find_each do |consent|
+          consent.update_column(:sid, SecureRandom.uuid)
+        end
+      end
+    end
+  end
+end

db/migrate/20251123052026_create_application_user_claims.rb

@@ -0,0 +1,13 @@
+class CreateApplicationUserClaims < ActiveRecord::Migration[8.1]
+  def change
+    create_table :application_user_claims do |t|
+      t.references :application, null: false, foreign_key: { on_delete: :cascade }
+      t.references :user, null: false, foreign_key: { on_delete: :cascade }
+      t.json :custom_claims, default: {}, null: false
+
+      t.timestamps
+    end
+
+    add_index :application_user_claims, [:application_id, :user_id], unique: true, name: 'index_app_user_claims_unique'
+  end
+end

db/migrate/20251125012446_add_username_to_users.rb

@@ -0,0 +1,6 @@
+class AddUsernameToUsers < ActiveRecord::Migration[8.1]
+  def change
+    add_column :users, :username, :string
+    add_index :users, :username, unique: true
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_11_22_235519) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_25_012446) do
   create_table "application_groups", force: :cascade do |t|
     t.integer "application_id", null: false
     t.datetime "created_at", null: false
@@ -21,6 +21,17 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_22_235519) do
     t.index ["group_id"], name: "index_application_groups_on_group_id"
   end
 
+  create_table "application_user_claims", force: :cascade do |t|
+    t.integer "application_id", null: false
+    t.datetime "created_at", null: false
+    t.json "custom_claims", default: {}, null: false
+    t.datetime "updated_at", null: false
+    t.integer "user_id", null: false
+    t.index ["application_id", "user_id"], name: "index_app_user_claims_unique", unique: true
+    t.index ["application_id"], name: "index_application_user_claims_on_application_id"
+    t.index ["user_id"], name: "index_application_user_claims_on_user_id"
+  end
+
   create_table "applications", force: :cascade do |t|
     t.integer "access_token_ttl", default: 3600
     t.boolean "active", default: true, null: false
@@ -169,10 +180,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_22_235519) do
     t.boolean "totp_required", default: false, null: false
     t.string "totp_secret"
     t.datetime "updated_at", null: false
+    t.string "username"
     t.string "webauthn_id"
     t.boolean "webauthn_required", default: false, null: false
     t.index ["email_address"], name: "index_users_on_email_address", unique: true
     t.index ["status"], name: "index_users_on_status"
+    t.index ["username"], name: "index_users_on_username", unique: true
     t.index ["webauthn_id"], name: "index_users_on_webauthn_id", unique: true
   end
 
@@ -200,6 +213,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_22_235519) do
 
   add_foreign_key "application_groups", "applications"
   add_foreign_key "application_groups", "groups"
+  add_foreign_key "application_user_claims", "applications", on_delete: :cascade
+  add_foreign_key "application_user_claims", "users", on_delete: :cascade
   add_foreign_key "oidc_access_tokens", "applications"
   add_foreign_key "oidc_access_tokens", "users"
   add_foreign_key "oidc_authorization_codes", "applications"