Rewrite README and formalize admin_user_class config option

Strip the README down to usage docs: remove the why-this-gem-exists
narrative, the "first-class Zitadel" framing (replaced with a neutral
"used in production by the authors against Zitadel"), the roadmap, and
the "what this gem does NOT reimplement" section.

Add the documentation that was missing:

- Host-app setup checklist (active_admin.rb, admin_user.rb, devise.rb,
  the generated initializer) with the exact lines each file needs.
- Full Configuration reference: commented example block plus a table of
  every option, its default, and its purpose.
- Detailed on_login hook section: signature, argument semantics, how
  denial is surfaced, how exceptions are handled, and three worked
  examples (Zitadel nested roles, department gating, Keycloak groups).
- Reading-additional-claims section showing how to pull arbitrary
  claims off the hash and how oidc_raw_info is stored.
- Security notes: guidance on safe vs unsafe identity_attribute
  choices and the unique-index requirement.
- Logger section documenting ActiveAdmin::Oidc.logger.

Formalize admin_user_class as a real Configuration option:

- Add :admin_user_class accessor with default "AdminUser"
- UserProvisioner now resolves via config.admin_user_class (String or
  Class), dropping the old respond_to?-based hack that silently never
  fired because Configuration did not expose the reader.
- Add specs for both code paths (String + Class).

Author: Fivell

README.md

@@ -1,16 +1,10 @@
 # activeadmin-oidc
 
-OpenID Connect single sign-on for [ActiveAdmin](https://activeadmin.info/), with a first-class [Zitadel](https://zitadel.com/) preset.
+OpenID Connect single sign-on for [ActiveAdmin](https://activeadmin.info/).
 
-This gem plugs generic OIDC SSO into ActiveAdmin's existing Devise stack. It builds on [`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect) for the OIDC protocol and adds the wiring ActiveAdmin apps actually need: JIT user provisioning, role mapping from provider claims, a Zitadel preset for the nested `urn:zitadel:iam:org:project:roles` claim, a login-view override, and a single install generator.
+Plugs OIDC into ActiveAdmin's existing Devise stack: JIT user provisioning, an `on_login` hook for host-owned authorization, a login-button view override, and a one-shot install generator. The OIDC protocol layer (discovery, JWKS, token verification, PKCE, nonce, state) is delegated to [`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect).
 
-## Why not just follow the ActiveAdmin wiki?
-
-The [ActiveAdmin OAuth wiki recipe](https://github.com/activeadmin/activeadmin/wiki/Log-in-through-OAuth-providers) is a 200-line copy-paste that only covers Google and doesn't handle role mapping, account linking, or Zitadel's claim shape. This gem packages the wiring once so you can `rails g active_admin:oidc:install` and be done.
-
-## What this gem does NOT reimplement
-
-The OIDC protocol layer — discovery, JWKS, token verification, PKCE, nonce, state — is delegated to the maintained upstream [`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect) gem. This gem is a convention-over-configuration wrapper, not a new OIDC client.
+Used in production by the authors against [Zitadel](https://zitadel.com/); the `:zitadel` preset below covers that wiring. Other compliant OIDC providers work via the standard omniauth_openid_connect options.
 
 ## Installation
 
@@ -25,60 +19,236 @@ bin/rails generate active_admin:oidc:install
 bin/rails db:migrate
 ```
 
-Then fill in `config/initializers/activeadmin_oidc.rb` with your issuer and client id.
-
 ## Host-app setup checklist
 
-The generator can't modify your `active_admin.rb` or `admin_user.rb` for you. Make sure these are in place — the install generator will print a "next steps" reminder, but you may as well do them up front:
+The generator creates the initializer and migration, but it cannot edit your `active_admin.rb` or `admin_user.rb`. Four things have to be in place:
+
+### 1. `config/initializers/active_admin.rb`
+
+```ruby
+config.authentication_method = :authenticate_admin_user!
+config.current_user_method   = :current_admin_user
+```
+
+Without these, `/admin` is public to anyone and the utility navigation (including the logout button) renders empty.
+
+### 2. `app/models/admin_user.rb`
+
+```ruby
+class AdminUser < ApplicationRecord
+  devise :database_authenticatable,
+         :rememberable,
+         :omniauthable, omniauth_providers: [:oidc]
+
+  serialize :oidc_raw_info, coder: JSON
+end
+```
+
+### 3. `config/initializers/devise.rb`
+
+ActiveAdmin mounts Devise under `/admin`, so OmniAuth's path prefix has to match:
 
-1. **`config/initializers/active_admin.rb`** — uncomment both of these:
+```ruby
+config.omniauth_path_prefix = "/admin/auth"
+```
+
+### 4. `config/initializers/activeadmin_oidc.rb` (generated)
+
+Fill in at minimum `issuer`, `client_id`, and an `on_login` hook. Full reference below.
+
+## Configuration
+
+```ruby
+ActiveAdmin::Oidc.configure do |c|
+  # --- Provider endpoints -----------------------------------------------
+  c.issuer        = ENV.fetch("OIDC_ISSUER")
+  c.client_id     = ENV.fetch("OIDC_CLIENT_ID")
+  c.client_secret = ENV.fetch("OIDC_CLIENT_SECRET", nil) # blank ⇒ PKCE public client
+
+  # --- Optional transport-layer preset ----------------------------------
+  # Sets scope and enables PKCE automatically when no client_secret is set.
+  # c.preset :zitadel
+
+  # --- OIDC scopes ------------------------------------------------------
+  # c.scope = "openid email profile"
+
+  # --- Identity lookup --------------------------------------------------
+  # Which AdminUser column to match existing rows against, and which
+  # claim on the id_token/userinfo to read for the lookup.
+  # c.identity_attribute = :email
+  # c.identity_claim     = :email
+
+  # --- AdminUser model resolution ---------------------------------------
+  # Accepts a String (lazy constant lookup, recommended) or a Class.
+  # Use when your model is not literally ::AdminUser.
+  # c.admin_user_class = "Admin::User"
+
+  # --- UI copy ----------------------------------------------------------
+  # c.login_button_label    = "Sign in with Corporate SSO"
+  # c.access_denied_message = "Your account has no permission to access this admin panel."
+
+  # --- PKCE override ----------------------------------------------------
+  # By default PKCE is enabled iff client_secret is blank. Override:
+  # c.pkce = true
+
+  # --- Authorization hook (REQUIRED) ------------------------------------
+  c.on_login = ->(admin_user, claims) {
+    # ... see "The on_login hook" below
+    true
+  }
+end
+```
 
-   ```ruby
-   config.authentication_method = :authenticate_admin_user!
-   config.current_user_method   = :current_admin_user
-   ```
+### Option reference
 
-   Without these, `/admin` is public to anyone and the utility navigation (including the logout button) renders empty.
+| Option | Default | Purpose |
+|---|---|---|
+| `issuer` | — (required) | OIDC discovery base URL |
+| `client_id` | — (required) | IdP client identifier |
+| `client_secret` | `nil` | Blank ⇒ PKCE public client |
+| `scope` | `"openid email profile"` | Space-separated OIDC scopes |
+| `pkce` | auto | `true` when `client_secret` is blank; overridable |
+| `identity_attribute` | `:email` | AdminUser column used for lookup/adoption |
+| `identity_claim` | `:email` | Claim key read from the id_token/userinfo |
+| `admin_user_class` | `"AdminUser"` | String or Class for the host's admin user model |
+| `login_button_label` | `"Sign in with SSO"` | Label on the login-page button |
+| `access_denied_message` | generic | Flash shown on any denial |
+| `on_login` | — (required) | Authorization hook; see below |
 
-2. **`app/models/admin_user.rb`** — the Devise call must include `:omniauthable` and declare the `oidc` provider:
+## The `on_login` hook
 
-   ```ruby
-   class AdminUser < ApplicationRecord
-     devise :database_authenticatable,
-            :rememberable,
-            :omniauthable, omniauth_providers: [:oidc]
+`on_login` is the **only** place authorization lives. The gem handles authentication (the user proved who they are via the IdP); deciding whether that user is allowed into the admin panel — and what they can see once they are in — is the host application's problem. The gem does not ship a role model.
 
-     serialize :oidc_raw_info, coder: JSON
-   end
-   ```
+### Signature
 
-3. **`config/initializers/devise.rb`** — ActiveAdmin mounts Devise under `/admin`, so OmniAuth's path prefix has to match:
+```ruby
+c.on_login = ->(admin_user, claims) {
+  # admin_user: an instance of the configured admin_user_class.
+  #             Either a pre-existing row (matched by provider/uid or by
+  #             identity_attribute) or an unsaved new record.
+  # claims:     a Hash of String keys. Contains everything the IdP
+  #             returned in the id_token/userinfo, plus the top-level
+  #             `sub` (copied from the OmniAuth uid) and `email`
+  #             (copied from info.email) for convenience.
+  #             access_token / refresh_token / id_token are NEVER
+  #             present — they are stripped before this hook runs.
+  #
+  # Return truthy to allow sign-in.
+  # Return falsy (false/nil) to deny: the user sees a generic denial
+  # flash and no AdminUser record is persisted or mutated.
+  #
+  # Any mutations you make to admin_user are persisted automatically
+  # after the hook returns truthy.
+  #
+  # Exceptions raised inside the hook are logged at :error via
+  # ActiveAdmin::Oidc.logger and surface to the user as the same
+  # generic denial flash — the callback action never 500s.
+  true
+}
+```
+
+### Example A — Zitadel nested project roles claim
+
+Zitadel emits roles under the custom claim `urn:zitadel:iam:org:project:roles`, shaped as `{ "role-name" => { "org-id" => "org-name" } }`. Flatten the keys into a string array on the AdminUser.
 
-   ```ruby
-   config.omniauth_path_prefix = "/admin/auth"
-   ```
+```ruby
+c.on_login = ->(admin_user, claims) {
+  roles = claims["urn:zitadel:iam:org:project:roles"]&.keys || []
+  return false if roles.empty?
+
+  admin_user.roles = roles
+  admin_user.name  = claims["name"] if claims["name"].present?
+  true
+}
+```
 
-4. **`config/initializers/activeadmin_oidc.rb`** (generated) — set at minimum `c.issuer`, `c.client_id`, and an `c.on_login` hook that decides whether a given user is allowed in.
+### Example B — department-based gating
+
+```ruby
+KNOWN_DEPARTMENTS = %w[ops eng support].freeze
+
+c.on_login = ->(admin_user, claims) {
+  dept = claims["department"]
+  return false unless KNOWN_DEPARTMENTS.include?(dept)
+
+  admin_user.department = dept
+  true
+}
+```
+
+### Example C — syncing from a standard `groups` claim (Keycloak-style)
+
+```ruby
+ADMIN_GROUP = "admins"
+
+c.on_login = ->(admin_user, claims) {
+  groups = Array(claims["groups"])
+  return false unless groups.include?(ADMIN_GROUP)
+
+  admin_user.super_admin = groups.include?("super-admins")
+  true
+}
+```
+
+## Reading additional claims from the callback
+
+Every key the IdP returns in the id_token or userinfo is passed to `on_login` as part of `claims`. Custom claims work the same as standard ones — just read them by key:
+
+```ruby
+c.on_login = ->(admin_user, claims) {
+  admin_user.employee_id    = claims["employee_id"]
+  admin_user.given_name     = claims["given_name"]
+  admin_user.family_name    = claims["family_name"]
+  admin_user.locale         = claims["locale"]
+  admin_user.email_verified = claims["email_verified"]
+  # Nested / structured claims come through as whatever the IdP sent.
+  # Zitadel metadata, for instance:
+  admin_user.tenant_id      = claims.dig("urn:zitadel:iam:user:metadata", "tenant_id")
+  true
+}
+```
+
+The full claim hash (minus `access_token` / `refresh_token` / `id_token`) is also stored on the admin user as `oidc_raw_info` — a JSON column created by the install generator. Read it later outside the hook for debugging or for showing the user's profile from the IdP:
+
+```ruby
+AdminUser.last.oidc_raw_info
+# => { "sub" => "...", "email" => "...", "groups" => [...], ... }
+```
 
 ## Sign-in flow
 
-* A login button is added to the ActiveAdmin sessions page via a prepended view override — you don't need to edit any templates.
-* Clicking it POSTs to `/admin/auth/oidc` with a Rails CSRF token (the gem forces OmniAuth 2.x's authenticity check to delegate to Rails' forgery protection, so `button_to` just works).
-* After a successful callback the user is signed in and redirected directly to `/admin` — the gem doesn't assume the host has a `root` route.
-* Logout goes through Devise's stock session destroy; no `end_session_endpoint` ping to the IdP. If you want RP-initiated single-logout, override the destroy action in your host app.
+* A login button is added to the ActiveAdmin sessions page via a prepended view override — no templates to edit.
+* Clicking it POSTs to `/admin/auth/oidc` with a Rails CSRF token. The gem loads `omniauth-rails_csrf_protection` so OmniAuth 2.x delegates its authenticity check to Rails' forgery protection and `button_to` just works.
+* After a successful callback the user is signed in and redirected to `/admin` (not the host app's `/`, which may not exist).
+* Logout goes through Devise's stock session destroy. No RP-initiated single-logout ping to the IdP — override the destroy action in your host app if you need that.
+
+## Security notes
+
+### Choice of `identity_attribute`
 
-## Status and roadmap
+The `identity_attribute` column is used to adopt existing AdminUser rows on first SSO login — an existing user with that value in that column, and no `provider`/`uid` yet, gets linked to the IdP identity. **Do not** point this at a column the IdP can influence and that is also security-sensitive. Safe choices: `:email`, `:username`, `:employee_id`. Unsafe choices: `:admin`, `:super_admin`, `:password_digest`, `:roles` — anything whose value encodes a permission.
 
-Design and test plan are locked. See [`docs/TEST_PLAN.md`](docs/TEST_PLAN.md) for the full TDD/BDD roadmap. Implementation follows red-green-refactor in this order:
+### Unique index on the identity column
+
+To prevent concurrent first-logins from creating two AdminUser rows for the same person, the column used as `identity_attribute` should have a database-level unique index. For the default `:email` case the standard Devise migration already adds this. If you pick a custom attribute, add the index yourself:
+
+```ruby
+add_index :admin_users, :employee_id, unique: true
+```
 
-1. `Configuration`
-2. `Discovery` wrapper over omniauth_openid_connect discovery
-3. `RoleResolver`
-4. `UserProvisioner`
-5. `Presets::Zitadel`
-6. Rails engine, routes, `SessionsController`
-7. Install generator
-8. Security hardening pass
+The gem also adds a unique `(provider, uid)` partial index in its own install migration.
+
+### What's filtered from logs
+
+The initializer merges `code`, `id_token`, `access_token`, `refresh_token`, `state`, and `nonce` into `Rails.application.config.filter_parameters` so a mid-callback crash can't dump them into production logs. Your own `filter_parameters` entries are preserved.
+
+## Logger
+
+The gem logs internal diagnostics (on_login exceptions, omniauth failures) via `ActiveAdmin::Oidc.logger`. It defaults to `Rails.logger` when Rails is booted, falling back to a null logger otherwise. Override by assigning directly:
+
+```ruby
+ActiveAdmin::Oidc.logger = MyStructuredLogger.new
+```
 
 ## License
 

lib/activeadmin/oidc/configuration.rb

@@ -8,13 +8,14 @@ class Configuration
       DEFAULT_IDENTITY_ATTRIBUTE  = :email
       DEFAULT_IDENTITY_CLAIM      = :email
       DEFAULT_LOGIN_BUTTON_LABEL  = "Sign in with SSO"
+      DEFAULT_ADMIN_USER_CLASS    = "AdminUser"
       DEFAULT_ACCESS_DENIED_MESSAGE =
         "Your account has no permission to access this admin panel."
 
       attr_accessor :issuer, :client_id, :client_secret, :scope,
                     :login_button_label, :timeout,
                     :identity_attribute, :identity_claim,
-                    :access_denied_message, :on_login
+                    :access_denied_message, :on_login, :admin_user_class
 
       def initialize
         reset!
@@ -30,6 +31,7 @@ def reset!
         @identity_attribute    = DEFAULT_IDENTITY_ATTRIBUTE
         @identity_claim        = DEFAULT_IDENTITY_CLAIM
         @access_denied_message = DEFAULT_ACCESS_DENIED_MESSAGE
+        @admin_user_class      = DEFAULT_ADMIN_USER_CLASS
         @on_login              = nil
         @pkce_override         = nil
         self

lib/activeadmin/oidc/user_provisioner.rb

@@ -47,14 +47,12 @@ def call
       private
 
       def model
-        @model ||= admin_user_class
+        @model ||= resolve_admin_user_class
       end
 
-      def admin_user_class
-        klass_name = @config.respond_to?(:admin_user_class) && @config.admin_user_class
-        return klass_name if klass_name.is_a?(Class)
-
-        Object.const_get(klass_name || "AdminUser")
+      def resolve_admin_user_class
+        value = @config.admin_user_class
+        value.is_a?(Class) ? value : Object.const_get(value)
       end
 
       def validate_claims!

spec/unit/configuration_spec.rb

@@ -32,6 +32,10 @@
       expect(config.access_denied_message).to match(/permission/i)
     end
 
+    it "defaults admin_user_class to the string 'AdminUser'" do
+      expect(config.admin_user_class).to eq("AdminUser")
+    end
+
     it "has no issuer by default" do
       expect(config.issuer).to be_nil
     end

spec/unit/user_provisioner_spec.rb

@@ -188,6 +188,22 @@
     end
   end
 
+  describe "admin_user_class configuration" do
+    it "defaults to looking up the AdminUser constant" do
+      expect { provisioner.call }.to change(AdminUser, :count).by(1)
+    end
+
+    it "accepts a Class reference directly" do
+      config.admin_user_class = AdminUser
+      expect { provisioner.call }.to change(AdminUser, :count).by(1)
+    end
+
+    it "accepts a String class name for lazy resolution" do
+      config.admin_user_class = "AdminUser"
+      expect { provisioner.call }.to change(AdminUser, :count).by(1)
+    end
+  end
+
   describe "concurrent first-login race" do
     it "results in exactly one AdminUser for a given (provider, uid)" do
       # Simulate two callbacks racing: both see no existing row, both try to