From d631cc5f122293553be8ca199149cd78dc8e8fda Mon Sep 17 00:00:00 2001
From: "Brian M. Long" <brian@inteligr8.com>
Date: Mon, 5 May 2025 13:38:50 -0400
Subject: [PATCH] externalize only groups that the user should belong to

---
 pom.xml                                       |  1 -
 .../auth/service/GroupSyncService.java        | 19 ++++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index d20cd80..e6c6fc0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,6 @@
 		<tomcat-rad.version>10-2.2</tomcat-rad.version>
 		<aps.tomcat.opts.base>-Dspring.main.allow-circular-references=true \
 			-Dhibernate.dialect=org.hibernate.dialect.PostgreSQLDialect \
-			-Dauth-ext.oauth.enabled=true \
 			-Dauth-ext.external.id=keycloak \
 			-Dauth-ext.sync.group.translate.patterns=aps-admin \
 			-Dauth-ext.sync.group.translate.replacements=Superusers \
diff --git a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
index 332a003..325ecc2 100644
--- a/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
+++ b/src/main/java/com/inteligr8/activiti/auth/service/GroupSyncService.java
@@ -181,18 +181,19 @@ public class GroupSyncService {
                 }
             } else {
                 String oidcGroup = this.apsGroupNameToOidcGroup(group.getName());
-                
-                if (this.externalizeMatchingInternalGroups) {
-                    this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
-                    // register the group as external
-                    group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
-                    group.setLastUpdate(new Date());
-                    this.groupService.save(group);
-                    // internal role already existed and the user is already a member
-                }
 
                 if (oidcGroups.remove(oidcGroup)) {
                     this.logger.trace("User already belongs to APS group mapped to by OIDC group: {}: {} => {}", user.getExternalId(), oidcGroup, group.getName());
+                    
+                    if (this.externalizeMatchingInternalGroups) {
+                        this.logger.warn("Classifying internal APS group as external: {} => {}", group.getName(), this.externalIdmSource);
+                        // register the group as external
+                        group.setExternalId(this.oidcGroupToApsGroupExternalId(oidcGroup));
+                        group.setLastUpdate(new Date());
+                        this.groupService.save(group);
+                        // internal role already existed and the user is already a member
+                    }
+                    
                     continue;
                 } else if (!this.syncInternalGroups) {
                     this.logger.trace("Internal APS group membership sync disabled; not considering removal of user from APS group: {} => {}", user.getExternalId(), group.getName());