fix: migrate external id of federated users (#6312)

* feat: migrate external id * implement tests and some renaming * fix projection * cleanup * i18n * fix event type * handle migration for new services as well * typo
2025-08-12 10:49:25 +00:00 · 2023-08-04 11:35:36 +02:00
parent d33a4fbb2f
commit 45262e6829
28 changed files with 611 additions and 9 deletions
--- a/internal/api/idp/idp.go
+++ b/internal/api/idp/idp.go
@@ -120,6 +120,11 @@ func (h *Handler) handleCallback(w http.ResponseWriter, r *http.Request) {
 	userID, err := h.checkExternalUser(ctx, intent.IDPID, idpUser.GetID())
 	logging.WithFields("intent", intent.AggregateID).OnError(err).Error("could not check if idp user already exists")

+	if userID == "" {
+		userID, err = h.tryMigrateExternalUser(ctx, intent.IDPID, idpUser, idpSession)
+		logging.WithFields("intent", intent.AggregateID).OnError(err).Error("migration check failed")
+	}
+
 	token, err := h.commands.SucceedIDPIntent(ctx, intent, idpUser, idpSession, userID)
 	if err != nil {
 		redirectToFailureURLErr(w, r, intent, z_errs.ThrowInternal(err, "IDP-JdD3g", "Errors.Intent.TokenCreationFailed"))
@@ -128,6 +133,22 @@ func (h *Handler) handleCallback(w http.ResponseWriter, r *http.Request) {
 	redirectToSuccessURL(w, r, intent, token, userID)
 }

+func (h *Handler) tryMigrateExternalUser(ctx context.Context, idpID string, idpUser idp.User, idpSession idp.Session) (userID string, err error) {
+	migration, ok := idpSession.(idp.SessionSupportsMigration)
+	if !ok {
+		return "", nil
+	}
+	previousID, err := migration.RetrievePreviousID()
+	if err != nil || previousID == "" {
+		return "", err
+	}
+	userID, err = h.checkExternalUser(ctx, idpID, previousID)
+	if err != nil {
+		return "", err
+	}
+	return userID, h.commands.MigrateUserIDP(ctx, userID, "", idpID, previousID, idpUser.GetID())
+}
+
 func (h *Handler) parseCallbackRequest(r *http.Request) (*externalIDPCallbackData, error) {
 	data := new(externalIDPCallbackData)
 	err := h.parser.Parse(r, data)
@@ -196,7 +217,7 @@ func (h *Handler) fetchIDPUser(ctx context.Context, identityProvider idp.Provide
 	case *openid.Provider:
 		session = &openid.Session{Provider: provider, Code: code}
 	case *azuread.Provider:
-		session = &oauth.Session{Provider: provider.Provider, Code: code}
+		session = &azuread.Session{Session: &oauth.Session{Provider: provider.Provider, Code: code}}
 	case *github.Provider:
 		session = &oauth.Session{Provider: provider.Provider, Code: code}
 	case *gitlab.Provider:
--- a/internal/api/ui/login/external_provider_handler.go
+++ b/internal/api/ui/login/external_provider_handler.go
@@ -222,7 +222,7 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 			l.externalAuthFailed(w, r, authReq, nil, nil, err)
 			return
 		}
-		session = &oauth.Session{Provider: provider.(*azuread.Provider).Provider, Code: data.Code}
+		session = &azuread.Session{Session: &oauth.Session{Provider: provider.(*azuread.Provider).Provider, Code: data.Code}}
 	case domain.IDPTypeGitHub:
 		provider, err = l.githubProvider(r.Context(), identityProvider)
 		if err != nil {
@@ -275,6 +275,46 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 	l.handleExternalUserAuthenticated(w, r, authReq, identityProvider, session, user, l.renderNextStep)
 }

+func (l *Login) tryMigrateExternalUserID(r *http.Request, session idp.Session, authReq *domain.AuthRequest, externalUser *domain.ExternalUser) (previousIDMatched bool, err error) {
+	migration, ok := session.(idp.SessionSupportsMigration)
+	if !ok {
+		return false, nil
+	}
+	previousID, err := migration.RetrievePreviousID()
+	if err != nil {
+		return false, err
+	}
+	return l.migrateExternalUserID(r, authReq, externalUser, previousID)
+}
+
+func (l *Login) migrateExternalUserID(r *http.Request, authReq *domain.AuthRequest, externalUser *domain.ExternalUser, previousID string) (previousIDMatched bool, err error) {
+	if previousID == "" {
+		return false, nil
+	}
+	// save the currentID, so we're able to reset to it later on if the user is not found with the old ID as well
+	externalUserID := externalUser.ExternalUserID
+	externalUser.ExternalUserID = previousID
+	if err = l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, authReq.AgentID, externalUser, domain.BrowserInfoFromRequest(r), true); err != nil {
+		// always reset to the mapped ID
+		externalUser.ExternalUserID = externalUserID
+		// but ignore the error if the user was just not found with the previousID
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	previousIDMatched = true
+	if err = l.authRepo.ResetLinkingUsers(r.Context(), authReq.ID, authReq.AgentID); err != nil {
+		return previousIDMatched, err
+	}
+	// read current auth request state (incl. authorized user)
+	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
+	if err != nil {
+		return previousIDMatched, err
+	}
+	return previousIDMatched, l.command.MigrateUserIDP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, externalUser.IDPConfigID, previousID, externalUserID)
+}
+
 // handleExternalUserAuthenticated maps the IDP user, checks for a corresponding externalID
 func (l *Login) handleExternalUserAuthenticated(
 	w http.ResponseWriter,
@@ -287,11 +327,22 @@ func (l *Login) handleExternalUserAuthenticated(
 ) {
 	externalUser := mapIDPUserToExternalUser(user, provider.ID)
 	// check and fill in local linked user
-	externalErr := l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, authReq.AgentID, externalUser, domain.BrowserInfoFromRequest(r))
+	externalErr := l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, authReq.AgentID, externalUser, domain.BrowserInfoFromRequest(r), false)
 	if externalErr != nil && !errors.IsNotFound(externalErr) {
 		l.renderError(w, r, authReq, externalErr)
 		return
 	}
+	if externalErr != nil && errors.IsNotFound(externalErr) {
+		previousIDMatched, err := l.tryMigrateExternalUserID(r, session, authReq, externalUser)
+		if err != nil {
+			l.renderError(w, r, authReq, err)
+			return
+		}
+		// if the old ID matched, ignore the not found error from the current ID
+		if previousIDMatched {
+			externalErr = nil
+		}
+	}
 	var err error
 	// read current auth request state (incl. authorized user)
 	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)