From b9f99fd89e83ad443cd1d20c9f5e20f7382c69a0 Mon Sep 17 00:00:00 2001
From: Nandaja Varma <nandaja.varma@gmail.com>
Date: Fri, 20 Dec 2024 06:42:34 +0000
Subject: [PATCH 1/2] [oidc] Fix the HEAD method call that checks reachability

---
 components/public-api-server/pkg/apiv1/oidc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/public-api-server/pkg/apiv1/oidc.go b/components/public-api-server/pkg/apiv1/oidc.go
index 3ee2555e896b62..964a4720753c1a 100644
--- a/components/public-api-server/pkg/apiv1/oidc.go
+++ b/components/public-api-server/pkg/apiv1/oidc.go
@@ -493,7 +493,7 @@ func assertIssuerIsReachable(ctx context.Context, issuer *url.URL) error {
 		},
 	}
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodHead, issuer.String(), nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, issuer.String()+"/.well-known/openid-configuration", nil)
 	if err != nil {
 		return err
 	}

From 177efc551654c08117b634914614319bc5908a6d Mon Sep 17 00:00:00 2001
From: Gero Posmyk-Leinemann <gero@gitpod.io>
Date: Fri, 20 Dec 2024 07:43:33 +0000
Subject: [PATCH 2/2] [server] Fix setup flow

---
 components/server/src/user/user-authentication.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/components/server/src/user/user-authentication.ts b/components/server/src/user/user-authentication.ts
index ddb2f3051fb631..e665f9bce62a53 100644
--- a/components/server/src/user/user-authentication.ts
+++ b/components/server/src/user/user-authentication.ts
@@ -6,7 +6,7 @@
 
 import { injectable, inject } from "inversify";
 import { User, Identity, Token, IdentityLookup } from "@gitpod/gitpod-protocol";
-import { EmailDomainFilterDB, MaybeUser, UserDB } from "@gitpod/gitpod-db/lib";
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, EmailDomainFilterDB, MaybeUser, UserDB } from "@gitpod/gitpod-db/lib";
 import { HostContextProvider } from "../auth/host-context-provider";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { Config } from "../config";
@@ -214,7 +214,10 @@ export class UserAuthentication {
         const isMultiOrgEnabled = await getExperimentsClientForBackend().getValueAsync("enable_multi_org", false, {
             gitpodHost: this.config.hostUrl.url.host,
         });
-        return isAllowedToCreateOrganization(user, isDedicated, isMultiOrgEnabled);
+        return (
+            isAllowedToCreateOrganization(user, isDedicated, isMultiOrgEnabled) ||
+            (isDedicated && user.id === BUILTIN_INSTLLATION_ADMIN_USER_ID)
+        );
     }
 
     async isBlocked(params: CheckIsBlockedParams): Promise<boolean> {