externalize only groups that the user should belong to

2025-05-05 13:38:50 -04:00
parent 0a10b06cc8
commit d631cc5f12
2 changed files with 10 additions and 10 deletions
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,6 @@
 		<tomcat-rad.version>10-2.2</tomcat-rad.version>
 		<aps.tomcat.opts.base>-Dspring.main.allow-circular-references=true \
 			-Dhibernate.dialect=org.hibernate.dialect.PostgreSQLDialect \
-			-Dauth-ext.oauth.enabled=true \
 			-Dauth-ext.external.id=keycloak \
 			-Dauth-ext.sync.group.translate.patterns=aps-admin \
 			-Dauth-ext.sync.group.translate.replacements=Superusers \
--- a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
+++ b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
@@ -181,18 +181,19 @@ public class GroupSyncService {
                }
            } else {
                String oidcGroup = this.apsGroupNameToOidcGroup(group.getName());
-                
-                if (this.externalizeMatchingInternalGroups) {
-                    this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
-                    // register the group as external
-                    group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
-                    group.setLastUpdate(new Date());
-                    this.groupService.save(group);
-                    // internal role already existed and the user is already a member
-                }

                if (oidcGroups.remove(oidcGroup)) {
                    this.logger.trace("User already belongs to APS group mapped to by OIDC group: {}: {} => {}", user.getExternalId(), oidcGroup, group.getName());
+                    
+                    if (this.externalizeMatchingInternalGroups) {
+                        this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
+                        // register the group as external
+                        group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
+                        group.setLastUpdate(new Date());
+                        this.groupService.save(group);
+                        // internal role already existed and the user is already a member
+                    }
+                    
                    continue;
                } else if (!this.syncInternalGroups) {
                    this.logger.trace("Internal APS group membership sync disabled; not considering removal of user from APS group: {} => {}", user.getExternalId(), group.getName());