Contrib.social

Mapped user roles are not always revoked

Open on Drupal.org β†’
Created on 9 December 2024, 3 months ago

Problem/Motivation

This was originally reported on security.drupal.org but was deemed ok to discuss in public.

The module has an option to map "groups" from an external system (e.g. Okta) to Drupal roles. When the user logs in, Okta returns a list of groups the user is assigned to. If any of these are mapped to Drupal roles, the user is assigned that role in Drupal. Similarly, if the user already has a role that is mapped to a group, but Okta reports that the user no longer has that group, then the role is removed from the user.

This works as expected until the user has no groups. The expectation would be that all mapped roles would be removed from the user, but instead they retain all roles they previously had.

Steps to reproduce

  • Configure role mappings for one or more roles/groups
  • Authenticate a user with one of the groups, confirm the role is assigned to the user
  • Remove all groups from the provider. Okta will omit the groups array, other providers might send an empty array and they would not be affected
  • Have the user log out and log back in. The role should be removed but it is not

Proposed resolution

Evaluate roles regardless of if the userinfo response contains the groups array.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia mstrelan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024