fix race condition in JIT provisioning, use route helper for SSO form

- Add RetryProvisioning to handle concurrent first logins: when
  RecordNotUnique is raised on save, retry call once so
  find_or_adopt_or_build finds the now-persisted record
- Use omniauth_authorize_path helper instead of hardcoded /admin/auth/oidc
- Simplify resolve_admin_user_class to use constantize

Author: Fivell

app/views/active_admin/devise/sessions/new.html.erb

@@ -1,7 +1,7 @@
 <div id="login">
   <h2><%= active_admin_application.site_title(self) %></h2>
 
-  <%= form_tag "/admin/auth/oidc", method: :post, data: { turbo: false } do %>
+  <%= form_tag omniauth_authorize_path(resource_name, :oidc), method: :post, data: { turbo: false } do %>
     <%= submit_tag ActiveAdmin::Oidc.config.login_button_label %>
   <% end %>
 </div>

lib/activeadmin-oidc.rb

@@ -25,6 +25,7 @@ module Oidc
     class Error < StandardError; end
     class ConfigurationError < Error; end
     class ProvisioningError < Error; end
+    class RetryProvisioning < Error; end
 
     class << self
       def config

lib/activeadmin/oidc/user_provisioner.rb

@@ -42,6 +42,10 @@ def call
 
         save!(admin_user)
         admin_user
+      rescue RetryProvisioning
+        # Concurrent JIT provisioning: another thread inserted first.
+        # Re-run once — find_or_adopt_or_build will now find the record.
+        retry
       end
 
       private
@@ -51,8 +55,7 @@ def model
       end
 
       def resolve_admin_user_class
-        value = @config.admin_user_class
-        value.is_a?(Class) ? value : Object.const_get(value)
+        @config.admin_user_class.is_a?(Class) ? @config.admin_user_class : @config.admin_user_class.constantize
       end
 
       def validate_claims!
@@ -101,7 +104,14 @@ def sanitized_raw_info
 
       def save!(admin_user)
         admin_user.save!
-      rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotUnique => e
+      rescue ActiveRecord::RecordNotUnique
+        raise ProvisioningError, denial_message if @retried
+
+        # Concurrent JIT provisioning race: the other thread won the
+        # insert. Re-run call once to find the now-persisted record.
+        @retried = true
+        raise RetryProvisioning
+      rescue ActiveRecord::RecordInvalid => e
         raise ProvisioningError, e.message
       end