From 3875d546bce2ea494d5e202d502746ac0f6595d5 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Fri, 19 Jun 2026 21:04:31 +0200
Subject: [PATCH] Expose OIDC auth mounts to unauthenticated OpenBao UI listing

Set listing_visibility=unauth on netkingdom and keycape during OIDC configure
so the browser login mask can select KeyCape instead of falling back to token.
---
 sso-mfa/k8s/keycape/configure-openbao-oidc.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sso-mfa/k8s/keycape/configure-openbao-oidc.sh b/sso-mfa/k8s/keycape/configure-openbao-oidc.sh
index c3be11a..8106abd 100644
--- a/sso-mfa/k8s/keycape/configure-openbao-oidc.sh
+++ b/sso-mfa/k8s/keycape/configure-openbao-oidc.sh
@@ -73,7 +73,8 @@ ROLE_JSON
       default_role="platform-admin"
 
     bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
-    printf "configured auth/%s/role/platform-admin\n" "$mount" >&2
+    bao write "sys/auth/${mount}/tune" listing_visibility=unauth
+    printf "configured auth/%s/role/platform-admin and listing_visibility=unauth\n" "$mount" >&2
   done
 
   rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err