Fix OIDC login role downgrading for users without claims#3103
Fix OIDC login role downgrading for users without claims#3103gantoine merged 3 commits intorommapp:masterfrom
Conversation
Co-authored-by: pacnpal <[email protected]>
Fix OIDC login downgrading existing user roles when provider sends no role claims
Greptile SummaryThis PR fixes a bug in the OIDC authentication flow where an existing user's role could be unintentionally overwritten (typically downgraded to Key changes:
One note worth considering: When a new user (not yet in the database) logs in and the role claim is absent from Confidence Score: 5/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Receive OIDC token] --> B{userinfo present?}
B -- No --> ERR1[400 Bad Request]
B -- Yes --> C{email present?}
C -- No --> ERR2[400 Bad Request]
C -- Yes --> D{email_verified check}
D -- Fail --> ERR3[400 Bad Request]
D -- Pass --> E["role = VIEWER\nclaims_provided = False"]
E --> F{"OIDC_CLAIM_ROLES configured\nAND present in userinfo?"}
F -- Yes --> G["claims_provided = True\nResolve role from claim"]
G --> H{Role matched?}
H -- No match --> ERR4[403 Forbidden]
H -- Match --> I{User in DB?}
F -- No --> I
I -- "No (new user)" --> J["Create user with current role\n(VIEWER if claims_provided=False)"]
I -- "Yes (existing user)" --> K{"claims_provided AND\nuser.role != resolved role?"}
K -- No --> L[Preserve existing role]
K -- Yes --> M[Update user role in DB]
J --> N{user.enabled?}
L --> N
M --> N
N -- No --> ERR5[UserDisabledException]
N -- Yes --> Z[Return user, userinfo]
Last reviewed commit: cf6f69b |
There was a problem hiding this comment.
Pull request overview
Adjusts OIDC role-sync behavior so existing users’ roles are only updated when the OIDC provider actually supplies the configured roles claim, preventing unintended downgrades when the claim is absent.
Changes:
- Gate role updates for existing users behind a new “roles claim present in userinfo” condition.
- Add a regression test ensuring no role update occurs when the roles claim is configured but missing from
userinfo.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| backend/handler/auth/base_handler.py | Tracks whether the roles claim is present and only updates an existing user’s role when it is. |
| backend/tests/handler/auth/test_oidc.py | Adds a test to prevent role downgrades when userinfo omits the configured roles claim. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
This pull request makes improvements to the OpenID Connect (OIDC) authentication flow, specifically around how user roles are updated based on OIDC claims. The main change is to ensure that a user's role is only updated if the OIDC provider actually supplies the relevant role claim, preventing unintended role changes when the claim is absent. Additionally, new tests have been added to verify this behavior.
OIDC role claim handling improvements:
get_current_active_user_from_openid_token(base_handler.py) now checks whether the OIDC role claim is present inuserinfobefore attempting to update a user's role, using a newclaims_providedflag.Testing enhancements:
test_oidc_valid_no_edit_user_role_if_claim_not_in_userinfoto ensure that user roles are not changed when the OIDC role claim is configured but not provided by the OIDC provider.Checklist
Please check all that apply.