fix(login): ensure auth request information is up-to-date in external user check (#6060)

internal/api/ui/login/external_provider_handler.go

@@ -292,6 +292,13 @@ func (l *Login) handleExternalUserAuthenticated(
 		l.renderError(w, r, authReq, externalErr)
 		return
 	}
+	var err error
+	// read current auth request state (incl. authorized user)
+	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
 	externalUser, externalUserChange, err := l.runPostExternalAuthenticationActions(externalUser, tokens(session), authReq, r, user, nil)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
@@ -302,14 +309,6 @@ func (l *Login) handleExternalUserAuthenticated(
 		l.externalUserNotExisting(w, r, authReq, provider, externalUser, externalUserChange)
 		return
 	}
-	if provider.IsAutoUpdate || len(externalUser.Metadatas) > 0 || externalUserChange {
-		// read current auth request state (incl. authorized user)
-		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
-		if err != nil {
-			l.renderError(w, r, authReq, err)
-			return
-		}
-	}
 	if provider.IsAutoUpdate || externalUserChange {
 		err = l.updateExternalUser(r.Context(), authReq, externalUser)
 		if err != nil {

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -247,6 +247,8 @@ func (repo *AuthRequestRepo) CheckExternalUserLogin(ctx context.Context, authReq
 	}
 	err = repo.checkExternalUserLogin(ctx, request, externalUser.IDPConfigID, externalUser.ExternalUserID)
 	if errors.IsNotFound(err) {
+		// clear potential user information (e.g. when username was entered but another external user was returned)
+		request.SetUserInfo("", "", "", "", "", request.UserOrgID)
 		if err := repo.setLinkingUser(ctx, request, externalUser); err != nil {
 			return err
 		}