Create user without organization seems possible

[Gaetanbrl]

In the Gateway, it seems possible to create a user without organization.

If a user is create from console ou register page, a default organization is used.
But with OAuth2, a user without org field can be created.

Here steps and my understanding :

1. A user tries to log on with ProConnect (in my case, only SIRET field exists about organization)

2. At the Claims mapping steps, the org is mapped according to claims gateway config.

https://github.com/georchestra/georchestra-gateway/blob/main/gateway/src/main/java/org/georchestra/gateway/security/oauth2/OpenIdConnectUserMapper.java#L178

But this is not required. So we haven't made any changes to the configuration.

3. A new account is create (account.getOrg() return "")

georchestra-gateway/gateway/src/main/java/org/georchestra/gateway/accounts/admin/ldap/LdapAccountsManager.java

Line 97 in 94bb76b

accountDao.insert(newAccount);

4. Next, gateway search Organization (fin or create) but finally do nothing without organization.

georchestra-gateway/gateway/src/main/java/org/georchestra/gateway/accounts/admin/ldap/LdapAccountsManager.java

Line 107 in 94bb76b

ensureOrgExists(newAccount);

georchestra-gateway/gateway/src/main/java/org/georchestra/gateway/accounts/admin/ldap/LdapAccountsManager.java

Line 180 in 94bb76b

if (!StringUtils.isEmpty(orgId)) {

5. From console, admin can observe this new user (not pending by default) without any org

6. If I change gateway/security.yaml config file, the gateway map org id correctly and will create org + insert this new user in this new org.

With this case, a user is create without any organization. This is not consistent with what the console / register page seems allow.

Therefore, this case should probably not be possible if organization is correctly mapped / configured from YAML.

Maybe i'm wrong, but this case seems really possible and organization appear as not required.

[Gaetanbrl]

With this case, a user is create without any organization. This is not consistent with what the console / register page seems allow.

A question about this issue :

Is this behavior expected or desired ?

[landryb]

im not sure its expected/desired, but so far in the user console, you can 'detach' an ldap/local user from an org (eg the user isn't attached to any org) and you can save the user without having a warning/error. so far, and to my understanding, the code doesn't enforce an ldap/local user being linked to an org. so here oauth aligns with that behaviour.

depending on platform account policies, one might want to enforce it or not, so at least having it configurable is desirable :)

[Gaetanbrl]

Ok, I understand.

Next, 2 questions come to my mind :

• This configuration is maybe not the best way to force the link user <> org. This config is usefull to map not standard claims <> georchestra infos (only org id / roles / user id). I suppose that a (new) dedicated configuration should be used to force (or not) this link according to plateform policies.

• (another topic ?) This configuration seems concerns all the gateway behavior because custom claims config have to be set in georchestra.gateway.security.oidc.claims level. Several providers can have different mapping (imagine use ProConnect, FranceConnect or other.. at the same time). I don't see how to customize claims by provider with the current configuration. But I'm maybe wrong. See Claims mapping limitation #176