strapi-plugin-oidc 1.6.1 → 1.6.2

package/README.md

@@ -121,7 +121,12 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
 2. **No group match or no mapping configured** → use the default OIDC roles
 
-> **Note:** Existing users' roles are updated on every login to reflect current group membership.
+### Role updates on subsequent logins
+
+- **New users** — OIDC roles are always assigned on first login.
+- **Existing users with manually unchanged roles** — If a user's current roles still match the roles assigned by OIDC on their previous login (i.e., an administrator has not manually changed their roles), their roles are updated to reflect the current group mapping. This ensures that when the group-to-role mapping changes, returning users pick up the new roles automatically.
+- **Existing users with manually changed roles** — If an administrator has manually assigned the user different roles since their last OIDC login, the user's roles are left unchanged. OIDC will not overwrite a manual role assignment.
+- **Mapping removed or user's groups don't map** — If the `OIDC_GROUP_ROLE_MAP` is removed, a user's groups no longer match any mapping, or there are no default OIDC roles configured, the user keeps their last known roles.
 
 ## Whitelist API
 

package/dist/server/index.js

@@ -494,6 +494,30 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
   await oauthService2.triggerWebHook(activateUser);
   return activateUser;
 }
+function rolesChanged(current, next) {
+  return current.size !== next.size || [...next].some((id) => !current.has(id));
+}
+async function updateUserRoles(user, currentRoleIds, newRoleIds) {
+  try {
+    strapi.log.info(
+      `[OIDC] Roles updated for user ${user.id}: [${[...currentRoleIds].join(",")}] -> [${newRoleIds.join(",")}]`
+    );
+    await strapi.db.query("admin::user").update({
+      where: { id: user.id },
+      data: { roles: newRoleIds }
+    });
+  } catch (updateErr) {
+    strapi.log.error({
+      code: errorCodes.ROLE_UPDATE_FAILED,
+      userId: user.id,
+      detail: getErrorDetail("role_update_failed", {
+        userId: user.id,
+        error: updateErr.message
+      })
+    });
+    throw updateErr;
+  }
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const rawEmail = String(userResponseData.email ?? "");
   const email = rawEmail.toLowerCase();
@@ -506,40 +530,26 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
   let userCreated = false;
   let rolesUpdated = false;
-  let activateUser = await userService.findOneByEmail(email);
-  if (!activateUser) {
-    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+  let user = await userService.findOneByEmail(email, ["roles"]);
+  if (!user) {
+    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
     userCreated = true;
+    rolesUpdated = true;
   } else if (roles2.length > 0) {
-    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
+    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
     const newRoleIds = new Set(roles2);
-    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
-    if (rolesChanged) {
-      try {
-        strapi.log.info(
-          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
-        );
-        await strapi.db.query("admin::user").update({
-          where: { id: activateUser.id },
-          data: { roles: roles2 }
-        });
+    if (rolesChanged(currentRoleIds, newRoleIds)) {
+      const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
+      if (isOnDefaultRoles) {
+        await updateUserRoles(user, currentRoleIds, roles2);
         rolesUpdated = true;
-      } catch (updateErr) {
-        strapi.log.error({
-          code: errorCodes.ROLE_UPDATE_FAILED,
-          userId: activateUser.id,
-          detail: getErrorDetail("role_update_failed", {
-            userId: activateUser.id,
-            error: updateErr.message
-          })
-        });
-        throw updateErr;
       }
     }
   }
-  const jwtToken = await oauthService2.generateToken(activateUser, ctx);
-  oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+  const jwtToken = await oauthService2.generateToken(user, ctx);
+  oauthService2.triggerSignInSuccess(user);
+  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
 }
 function classifyOidcError(msg, userInfo) {
   const errorMap = [
@@ -1525,7 +1535,7 @@ function whitelistService({ strapi: strapi2 }) {
       });
     },
     async removeUser(email) {
-      await strapi2.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({
+      await getWhitelistQuery().deleteMany({
         where: { email }
       });
     },

package/dist/server/index.mjs

@@ -488,6 +488,30 @@ async function registerNewUser(oauthService2, email, userResponseData, config2,
   await oauthService2.triggerWebHook(activateUser);
   return activateUser;
 }
+function rolesChanged(current, next) {
+  return current.size !== next.size || [...next].some((id) => !current.has(id));
+}
+async function updateUserRoles(user, currentRoleIds, newRoleIds) {
+  try {
+    strapi.log.info(
+      `[OIDC] Roles updated for user ${user.id}: [${[...currentRoleIds].join(",")}] -> [${newRoleIds.join(",")}]`
+    );
+    await strapi.db.query("admin::user").update({
+      where: { id: user.id },
+      data: { roles: newRoleIds }
+    });
+  } catch (updateErr) {
+    strapi.log.error({
+      code: errorCodes.ROLE_UPDATE_FAILED,
+      userId: user.id,
+      detail: getErrorDetail("role_update_failed", {
+        userId: user.id,
+        error: updateErr.message
+      })
+    });
+    throw updateErr;
+  }
+}
 async function handleUserAuthentication(userService, oauthService2, roleService2, whitelistService2, userResponseData, config2, ctx) {
   const rawEmail = String(userResponseData.email ?? "");
   const email = rawEmail.toLowerCase();
@@ -500,40 +524,26 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
   const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
   let userCreated = false;
   let rolesUpdated = false;
-  let activateUser = await userService.findOneByEmail(email);
-  if (!activateUser) {
-    activateUser = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
+  let user = await userService.findOneByEmail(email, ["roles"]);
+  if (!user) {
+    user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
     userCreated = true;
+    rolesUpdated = true;
   } else if (roles2.length > 0) {
-    const currentRoleIds = new Set((activateUser.roles ?? []).map((r) => String(r.id)));
+    const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
+    const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
     const newRoleIds = new Set(roles2);
-    const rolesChanged = currentRoleIds.size !== newRoleIds.size || [...newRoleIds].some((id) => !currentRoleIds.has(id));
-    if (rolesChanged) {
-      try {
-        strapi.log.info(
-          `[OIDC] Roles updated for user ${activateUser.id}: [${[...currentRoleIds].join(",")}] -> [${roles2.join(",")}]`
-        );
-        await strapi.db.query("admin::user").update({
-          where: { id: activateUser.id },
-          data: { roles: roles2 }
-        });
+    if (rolesChanged(currentRoleIds, newRoleIds)) {
+      const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
+      if (isOnDefaultRoles) {
+        await updateUserRoles(user, currentRoleIds, roles2);
         rolesUpdated = true;
-      } catch (updateErr) {
-        strapi.log.error({
-          code: errorCodes.ROLE_UPDATE_FAILED,
-          userId: activateUser.id,
-          detail: getErrorDetail("role_update_failed", {
-            userId: activateUser.id,
-            error: updateErr.message
-          })
-        });
-        throw updateErr;
       }
     }
   }
-  const jwtToken = await oauthService2.generateToken(activateUser, ctx);
-  oauthService2.triggerSignInSuccess(activateUser);
-  return { activateUser, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
+  const jwtToken = await oauthService2.generateToken(user, ctx);
+  oauthService2.triggerSignInSuccess(user);
+  return { activateUser: user, jwtToken, userCreated, rolesUpdated, resolvedRoleNames };
 }
 function classifyOidcError(msg, userInfo) {
   const errorMap = [
@@ -1519,7 +1529,7 @@ function whitelistService({ strapi: strapi2 }) {
       });
     },
     async removeUser(email) {
-      await strapi2.db.query("plugin::strapi-plugin-oidc.whitelists").deleteMany({
+      await getWhitelistQuery().deleteMany({
         where: { email }
       });
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.6.1",
+  "version": "1.6.2",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",