Learn-skills.dev oracle-idcs-org-provisioning
Use when mapping IDCS claims to org membership after OAuth login succeeds. Covers mapProfileToUser, session.create.before, session.create.after hooks, MERGE INTO upserts, tenant-org mapping, and first-admin bootstrap. Keywords: IDCS groups, org_members, provisioning, session hooks, tenant map, MERGE INTO.
git clone https://github.com/NeverSight/learn-skills.dev
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/acedergren/agentic-tools/oracle-idcs-org-provisioning" ~/.claude/skills/neversight-learn-skills-dev-oracle-idcs-org-provisioning && rm -rf "$T"
data/skills-md/acedergren/agentic-tools/oracle-idcs-org-provisioning/SKILL.mdOracle IDCS Org Provisioning
Use when login succeeds but tenant, role, or org membership still has to become real in Oracle.
Do NOT load when
- problem is Fastify header bridging or cookie/session forwarding
- problem is base OIDC setup, callback URLs, or trusted origins
- task is renaming IDCS concepts across an existing codebase
Three-stage flow
- Capture IDCS claims during OAuth profile mapping (
)mapProfileToUser - Gate session in
when explicit allow-rules existsession.create.before - Resolve org and upsert
inorg_memberssession.create.after
NEVER
- Never combine access gating with role mapping — they are separate decisions with separate failure modes
- Never
thenSELECT
intoINSERT
— use atomicorg_members
or concurrent logins corrupt membershipMERGE INTO - Never consume cached claims in
and expect them still available inbefore
— use stash/peek/consume patternafter - Never bypass existing membership precedence with a newer fallback — re-login instability follows
- Never assume missing
claim is a provisioning bug — check scope config and IDCS app firstgroups
Expert decision trees
Access gate vs. role mapping
These answer different questions:
- Access gate (
hook): can this user enter at all? Controlled by DB-configured allow-groups. Fail closed only when explicit allow-groups exist; fail open otherwise.before - Role mapping (
hook): which role do they get? Controlled by group→role mapping and env defaults.after
Mixing them produces false lockouts: a user passes the access gate but gets the wrong role because the gating logic short-circuited role resolution.
Org resolution precedence
Always use this order — never skip a level for "simplicity":
- Existing membership in
org_members - Tenant-name → org map (DB-configured)
- DB-configured default org
- Env default org
Changing this order mid-deployment breaks re-login for users who were previously assigned via a higher-precedence rule.
First-admin bootstrap
Fresh installs have zero admin-group config. If an org has no admin yet, promote the first provisioned user to
adminClaims cache across hook boundary
Hooks run in separate request lifecycles. The claim set from
mapProfileToUsersession.create.after
in profile mappingstash(sub, claims)
inpeek(sub)
(read without clearing)before
inconsume(sub)
(read and clear)after
Using a short-lived in-memory cache keyed by
subFailure modes by decision point
| Situation | Decision |
|---|---|
No | Check scope and IDCS app config before touching provisioning code |
| No explicit DB allow-groups | Fail open — no lockout |
| DB lookup or write fails | Fail open for login, log it — lockout must never be the default outcome |
| Org has no admin yet | Promote first provisioned user once |
Scripts
# Preview group → role mapping node scripts/preview-group-role-mapping.js "PortalAdmins,Developers" # Preview org resolution node scripts/verify-org-resolution.js --tenant sandbox --map "sandbox:org-123,prod:org-999" --default-org org-000
Arguments
: Optional provisioning focus$ARGUMENTS
— focus on tenant→org resolutiontenant-map
— focus on bootstrap logicfirst-admin- (empty) — evaluate the full IDCS claim → org membership flow