Implement tenant import and RP auto login policies

backend/internal/handler/auth_handler_dynamic_claims_test.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
 	"bytes"
 	"encoding/json"
@@ -178,6 +179,103 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
 	assert.Equal(t, "Architect", capturedClaims["position"])
 }
 
+func TestAcceptConsentRequest_IncludesRPProfileClaims(t *testing.T) {
+	var capturedClaims map[string]interface{}
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-profile" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"challenge":       "challenge-rp-profile",
+				"requested_scope": []string{"openid", "profile"},
+				"subject":         "user-123",
+				"client": map[string]interface{}{
+					"client_id": "client-app",
+					"metadata": map[string]interface{}{
+						"customUserSchema": []map[string]interface{}{
+							{
+								"key":          "approvalLevel",
+								"label":        "승인 등급",
+								"type":         "text",
+								"claimEnabled": true,
+							},
+							{
+								"key":          "internalMemo",
+								"label":        "내부 메모",
+								"type":         "text",
+								"claimEnabled": false,
+							},
+						},
+					},
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-rp-profile" {
+			body, _ := io.ReadAll(r.Body)
+			var acceptReq map[string]interface{}
+			json.Unmarshal(body, &acceptReq)
+			if session, ok := acceptReq["session"].(map[string]interface{}); ok {
+				capturedClaims = session["id_token"].(map[string]interface{})
+			}
+
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+	h.KratosAdmin.(*MockKratosAdminService).On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+		ID: "user-123",
+		Traits: map[string]interface{}{
+			"email": "user@test.com",
+			"name":  "Test User",
+		},
+	}, nil)
+	repo := new(devMockRPUserMetadataRepo)
+	repo.On("Get", mock.Anything, "client-app", "user-123").Return(&domain.RPUserMetadata{
+		ClientID: "client-app",
+		UserID:   "user-123",
+		Metadata: domain.JSONMap{
+			"approvalLevel": "A",
+			"internalMemo":  "관리자 전용",
+		},
+	}, nil).Once()
+	h.RPUserMetadataRepo = repo
+
+	app := fiber.New()
+	app.Post("/api/v1/auth/consent/accept", h.AcceptConsentRequest)
+
+	reqBody, _ := json.Marshal(map[string]interface{}{
+		"consent_challenge": "challenge-rp-profile",
+		"grant_scope":       []string{"openid", "profile"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	assert.NotNil(t, capturedClaims)
+	rpProfiles, ok := capturedClaims["rp_profiles"].([]interface{})
+	assert.True(t, ok)
+	assert.Len(t, rpProfiles, 1)
+	profile := rpProfiles[0].(map[string]interface{})
+	assert.Equal(t, "client-app", profile["client_id"])
+	fields := profile["fields"].(map[string]interface{})
+	assert.Equal(t, "A", fields["approvalLevel"])
+	assert.NotContains(t, fields, "internalMemo")
+	repo.AssertExpectations(t)
+}
+
 func TestGetConsentRequest_Skip_DynamicClaims(t *testing.T) {
 	var capturedClaims map[string]interface{}