From dcd0b4ebcdaad30dc9d87c78a31c13c219240cd9 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Tue, 14 Apr 2026 17:19:20 +0200 Subject: [PATCH] fix: use managed assignments for OIDC fallback role paths The roles-claim and default-roles fallback paths in applyClaimMappings were using assignRoleToUser (origin='direct'), causing OIDC-derived roles to accumulate across logins and never be cleared. Changed both to assignManagedRole (origin='managed') so all OIDC-assigned roles are cleared and re-evaluated on every login, same as claim mapping rules. Only roles assigned directly via the admin UI are preserved. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../com/cameleer3/server/app/security/OidcAuthController.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java index d0dc7e72..6e480967 100644 --- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java +++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java @@ -222,7 +222,7 @@ public class OidcAuthController { for (String roleName : oidcExtractedRoles) { UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName)); if (roleId != null) { - rbacService.assignRoleToUser(userId, roleId); + rbacService.assignManagedRole(userId, roleId, null); log.info("OIDC role {} assigned to {} (from token claim)", roleName, userId); } } @@ -232,7 +232,7 @@ public class OidcAuthController { for (String roleName : defaultRoles) { UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName)); if (roleId != null) { - rbacService.assignRoleToUser(userId, roleId); + rbacService.assignManagedRole(userId, roleId, null); log.debug("Default role {} assigned to {} (no claim mapping or OIDC roles)", roleName, userId); } }