Integrate OIDC but the user can login even if isactive = false

jolisa.chan.store · July 27, 2023, 9:11am

My app integrates with OIDC/OAuth2. When I set isActive = false, that user is still able to log in and perform actions. We did overwrite this class SynchronizingOidcUserMapper but I didn’t see anything related to active/enabled users. How can I block user from entering the app?

pinyazhin · August 1, 2023, 10:29am

Hello!

As I can see from the code, Spring does not check UserDetails constraints (isEnabled, isAccountNonExpired, etc) for Oidc authorization. Probably, you should configure user access to specific clients in the KeyCloak.

jolisa.chan.store · August 2, 2023, 3:31am

sorry, I think I wasn’t clear enough. We use Azure AD, not Keycloak. I think we can set the user inactive from Azure AD but the requirement is to set it straight from the app. I wonder where we can block user login from jmix. For example, let the user pass the Azure gate, but the app will block the user, only showing a blank page.

pinyazhin · August 7, 2023, 7:35am

I think, in Jmix you can do not assign roles during user synchronization to disable UI. For instance, override SynchronizingOidcUserMapper#saveJmixUserAndRoleAssignments() and check isEnabled from Jmix user. If user is not active just remove existing roles.

saveJmixUserAndRoleAssignments()

@Override
protected void saveJmixUserAndRoleAssignments(OidcUser oidcUser, User jmixUser) {
    if (jmixUser.isEnabled()) {
        super.saveJmixUserAndRoleAssignments(oidcUser, jmixUser);
    } else {
        SaveContext saveContext = new SaveContext();
        String username = getOidcUserUsername(oidcUser);
        //disable soft-deletion to completely remove role assignment records from the database
        saveContext.setHint(PersistenceHints.SOFT_DELETION, false);
        List<RoleAssignmentEntity> existingRoleAssignmentEntities = dataManager.load(RoleAssignmentEntity.class)
                .query("select e from sec_RoleAssignmentEntity e where e.username = :username")
                .parameter("username", username)
                .list();
        saveContext.removing(existingRoleAssignmentEntities);
        dataManager.save(saveContext);
    }
}

Active attribute can be assigned in User editor. Also, you can define default value = false for new users:

@Column(name = "ACTIVE")
protected Boolean active = false;

In the MainScreen you can check user’s active attribute and change layout to show that application is not available for current user.

Other option is overriding AuthenticationProvider that responsible for Oidc authorization.