Keycloak shenanigans

Keycloak-installation.md

@@ -47,7 +47,7 @@ Go to **Clients → labhelper → Client scopes** tab → click the dedicated sc
 |---|---|---|
 | Name | `groups` | Label for this mapper |
 | Token Claim Name | `groups` | The claim name the app reads from the token |
-| Full group path | Off | Sends `Lab Administrators` instead of `/Lab Administrators`. The app strips leading slashes anyway, but this is cleaner |
+| Full group path | Off | Sends `LabHelper Administrators` instead of `/LabHelper Administrators`. The app strips leading slashes anyway, but this is cleaner |
 | Add to ID token | On | |
 | Add to access token | On | |
 | Add to userinfo | On | The app fetches userinfo after the token exchange |
@@ -56,9 +56,9 @@ Go to **Clients → labhelper → Client scopes** tab → click the dedicated sc
 
 Go to **Groups** (left sidebar) and create these three groups with exactly these names — they map to the existing Django groups:
 
-- `Lab Administrators` — gets `is_staff=True` in Django (admin access)
-- `Lab Staff`
-- `Lab Viewers`
+- `LabHelper Administrators` — gets `is_staff=True` in Django (admin access)
+- `LabHelper Staff`
+- `LabHelper Viewers`
 
 ### 6. Ensure users have an email address
 
@@ -120,7 +120,7 @@ Overrides `OIDCAuthenticationBackend` to:
 - Use `preferred_username` from Keycloak as the Django username
 - Set `first_name` and `last_name` from `given_name` / `family_name` claims
 - Sync group memberships on every login — if a user is added to or removed from a Keycloak group, it takes effect at their next login
-- Set `is_staff=True` for members of `Lab Administrators` (grants Django admin access)
+- Set `is_staff=True` for members of `LabHelper Administrators` (grants Django admin access)
 
 `django.contrib.auth.backends.ModelBackend` is kept as a fallback so the Django admin login form still works with a local username/password (useful for emergency superuser access without Keycloak).