From 76ce7e42d4f8d89eb1da41a3813dad00bfbc8552 Mon Sep 17 00:00:00 2001
From: "Brian M. Long" <brian@inteligr8.com>
Date: Mon, 5 May 2025 11:19:46 -0400
Subject: [PATCH 1/3] added multiext runtime dep

---
 pom.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index 35f0156..d20cd80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,6 +92,12 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>com.inteligr8.activiti</groupId>
+			<artifactId>multiext-activiti-app-ext</artifactId>
+			<version>1.0.0</version>
+			<scope>runtime</scope>
+		</dependency>
 	</dependencies>
 	
 	<build>

From 0a10b06cc83c1ea7170c2199fb747a64d14d962f Mon Sep 17 00:00:00 2001
From: "Brian M. Long" <brian@inteligr8.com>
Date: Mon, 5 May 2025 11:41:49 -0400
Subject: [PATCH 2/3] sync.externalId to externalId

---
 README.md                                                       | 2 +-
 .../activiti/auth/ActivitiAppAdministratorGroupFixer.java       | 2 +-
 .../com/inteligr8/activiti/auth/service/GroupSyncService.java   | 2 +-
 .../com/inteligr8/activiti/auth/service/UserSyncService.java    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 4887c20..e5212b3 100644
--- a/README.md
+++ b/README.md
@@ -61,7 +61,7 @@ The following properties provide the core functionality of this extension.  That
 
 | Property                                       | Default   | Description |
 | ---------------------------------------------- | --------- | ----------- |
-| `auth-ext.sync.externalId`                     | `oauth`   | This will serve as the external ID for users and as the prefix for the external ID of groups created by this extension. |
+| `auth-ext.externalId`                          | `oauth`   | This will serve as the external ID for users and as the prefix for the external ID of groups created by this extension. |
 | `auth-ext.tenant`                              |           | A preselected tenant for all operations in this extension.  Only required if there are multiple tenants. |
 | `auth-ext.sync.user.createMissing`             | `true`    | If the user is authenticated, the user may be created in APS. |
 | `auth-ext.sync.user.requireGroup`              |           | This is only applicable when `createMissing` is `true`.  If this is unset or the OAuth Authorization Server gives the user the specified group/role, then the user record will be created in APS. |
diff --git a/src/main/java/com/inteligr8/activiti/auth/ActivitiAppAdministratorGroupFixer.java b/src/main/java/com/inteligr8/activiti/auth/ActivitiAppAdministratorGroupFixer.java
index c60f3b8..afcd6c6 100644
--- a/src/main/java/com/inteligr8/activiti/auth/ActivitiAppAdministratorGroupFixer.java
+++ b/src/main/java/com/inteligr8/activiti/auth/ActivitiAppAdministratorGroupFixer.java
@@ -64,7 +64,7 @@ public class ActivitiAppAdministratorGroupFixer implements DataFixer {
     @Value("${auth-ext.group.admins.name:Superusers}")
     private String adminGroupName;
     
-    @Value("${auth-ext.sync.externalId:oauth}")
+    @Value("${auth-ext.externalId:oauth}")
     protected String externalIdmSource;
     
     @Value("${auth-ext.group.admins.validate:false}")
diff --git a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
index 127541a..332a003 100644
--- a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
+++ b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
@@ -56,7 +56,7 @@ public class GroupSyncService {
     @Autowired
     private TenantFinderService tenantFinderService;
     
-    @Value("${auth-ext.sync.externalId:oauth}")
+    @Value("${auth-ext.externalId:oauth}")
     protected String externalIdmSource;
 
     @Value("${auth-ext.sync.group.createMissing:true}")
diff --git a/src/main/java/com/inteligr8/activiti/auth/service/UserSyncService.java b/src/main/java/com/inteligr8/activiti/auth/service/UserSyncService.java
index f559b60..b0b3874 100644
--- a/src/main/java/com/inteligr8/activiti/auth/service/UserSyncService.java
+++ b/src/main/java/com/inteligr8/activiti/auth/service/UserSyncService.java
@@ -36,7 +36,7 @@ public class UserSyncService {
     @Autowired
     private TenantFinderService tenantFinderService;
     
-    @Value("${auth-ext.sync.externalId:oauth}")
+    @Value("${auth-ext.externalId:oauth}")
     protected String externalIdmSource;
     
     @Value("${auth-ext.sync.user.createMissing:true}")

From d631cc5f122293553be8ca199149cd78dc8e8fda Mon Sep 17 00:00:00 2001
From: "Brian M. Long" <brian@inteligr8.com>
Date: Mon, 5 May 2025 13:38:50 -0400
Subject: [PATCH 3/3] externalize only groups that the user should belong to

---
 pom.xml                                       |  1 -
 .../auth/service/GroupSyncService.java        | 19 ++++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index d20cd80..e6c6fc0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,6 @@
 		<tomcat-rad.version>10-2.2</tomcat-rad.version>
 		<aps.tomcat.opts.base>-Dspring.main.allow-circular-references=true \
 			-Dhibernate.dialect=org.hibernate.dialect.PostgreSQLDialect \
-			-Dauth-ext.oauth.enabled=true \
 			-Dauth-ext.external.id=keycloak \
 			-Dauth-ext.sync.group.translate.patterns=aps-admin \
 			-Dauth-ext.sync.group.translate.replacements=Superusers \
diff --git a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
index 332a003..325ecc2 100644
--- a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
+++ b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
@@ -181,18 +181,19 @@ public class GroupSyncService {
                 }
             } else {
                 String oidcGroup = this.apsGroupNameToOidcGroup(group.getName());
-                
-                if (this.externalizeMatchingInternalGroups) {
-                    this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
-                    // register the group as external
-                    group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
-                    group.setLastUpdate(new Date());
-                    this.groupService.save(group);
-                    // internal role already existed and the user is already a member
-                }
 
                 if (oidcGroups.remove(oidcGroup)) {
                     this.logger.trace("User already belongs to APS group mapped to by OIDC group: {}: {} => {}", user.getExternalId(), oidcGroup, group.getName());
+                    
+                    if (this.externalizeMatchingInternalGroups) {
+                        this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
+                        // register the group as external
+                        group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
+                        group.setLastUpdate(new Date());
+                        this.groupService.save(group);
+                        // internal role already existed and the user is already a member
+                    }
+                    
                     continue;
                 } else if (!this.syncInternalGroups) {
                     this.logger.trace("Internal APS group membership sync disabled; not considering removal of user from APS group: {} => {}", user.getExternalId(), group.getName());