Under certain conditions, the OpenID Connect group sync kicks users out of all Discourse groups without a synced oidc group.
The logs and overall situation indicate that this is triggered when a user looses a single (unsynced) oidc group. The system apparently intends to kick the user out of the single group (which doesn’t exist), as it uses the group name of the lost group in its change note.
But instead, it kicks them out of all unsynced groupo.
Considering the loss of access this can trigger, I consider this a quite high-priority bug.
By the way, is there a global log of group membership changes? That would make recovery much easier, but I found only the log per group.
Can you let me know if this summary is correct?
- prior state:
- user
bilbo is in groups A, B, C on Discourse
- groups
B and C are set up for automatic membership with OIDC groups b and c (respectively)
OpenID Connect groups claim is set to e.g. groups
- action taken:
- user
bilbo logs in via OIDC
- oidc claim contains groups
c, d
- (group
D does not exist on Discourse)
- Discourse removes
bilbo from groups A and B
removing the A group membership is incorrect
I don’t have a second synced group B yet. Otherwise yes.
לייק 1