fix(oidc): Update group membership each login (and make group extraction disabled by default)

datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java

@@ -55,6 +55,7 @@
 import play.mvc.Result;
 import auth.sso.SsoManager;
 
+import static com.linkedin.metadata.Constants.*;
 import static play.mvc.Results.*;
 import static auth.AuthUtils.*;
 
@@ -125,16 +126,14 @@ private Result handleOidcCallback(
         if (oidcConfigs.isJitProvisioningEnabled()) {
           log.debug("Just-in-time provisioning is enabled. Beginning provisioning process...");
           CorpUserSnapshot extractedUser = extractUser(corpUserUrn, profile);
+          tryProvisionUser(extractedUser);
           if (oidcConfigs.isExtractGroupsEnabled()) {
             // Extract groups & provision them.
             List<CorpGroupSnapshot> extractedGroups = extractGroups(profile);
             tryProvisionGroups(extractedGroups);
-            if (extractedGroups.size() > 0) {
-              // Associate group with the user logging in.
-              extractedUser.getAspects().add(CorpUserAspect.create(createGroupMembership(extractedGroups)));
-            }
+            // Add users to groups on DataHub. Note that this clears existing group membership for a user if it already exists.
+            updateGroupMembership(corpUserUrn, createGroupMembership(extractedGroups));
           }
-          tryProvisionUser(extractedUser);
         } else if (oidcConfigs.isPreProvisioningRequired()) {
           // We should only allow logins for user accounts that have been pre-provisioned
           log.debug("Pre Provisioning is required. Beginning validation of extracted user...");
@@ -372,6 +371,21 @@ private void tryProvisionGroups(List<CorpGroupSnapshot> corpGroups) {
     }
   }
 
+  private void updateGroupMembership(Urn urn, GroupMembership groupMembership) {
+    log.debug(String.format("Updating group membership for user %s", urn));
+    final MetadataChangeProposal proposal = new MetadataChangeProposal();
+    proposal.setEntityUrn(urn);
+    proposal.setEntityType(CORP_USER_ENTITY_NAME);
+    proposal.setAspectName(GROUP_MEMBERSHIP_ASPECT_NAME);
+    proposal.setAspect(GenericAspectUtils.serializeAspect(groupMembership));
+    proposal.setChangeType(ChangeType.UPSERT);
+    try {
+      _entityClient.ingestProposal(proposal, _systemAuthentication);
+    } catch (RemoteInvocationException e) {
+      throw new RuntimeException(String.format("Failed to update group membership for user with urn %s", urn), e);
+    }
+  }
+
   private void verifyPreProvisionedUser(CorpuserUrn urn) {
     // Validate that the user exists in the system (there is more than just a key aspect for them, as of today).
     try {

datahub-frontend/app/auth/sso/oidc/OidcConfigs.java

@@ -47,7 +47,7 @@ public class OidcConfigs extends SsoConfigs {
     private static final String DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD = "client_secret_basic";
     private static final String DEFAULT_OIDC_JIT_PROVISIONING_ENABLED = "true";
     private static final String DEFAULT_OIDC_PRE_PROVISIONING_REQUIRED = "false";
-    private static final String DEFAULT_OIDC_EXTRACT_GROUPS_ENABLED = "true";
+    private static final String DEFAULT_OIDC_EXTRACT_GROUPS_ENABLED = "false"; // False since extraction of groups can overwrite existing group membership.
     private static final String DEFAULT_OIDC_GROUPS_CLAIM = "groups";
 
     private String clientId;

docker/datahub-frontend/env/docker.env

@@ -28,7 +28,7 @@ JAVA_OPTS=-Xms512m -Xmx512m -Dhttp.port=9002 -Dconfig.file=datahub-frontend/conf
 # Optional Provisioning Configs
 # AUTH_OIDC_JIT_PROVISIONING_ENABLED=true
 # AUTH_OIDC_PRE_PROVISIONING_REQUIRED=false
-# AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true
+# AUTH_OIDC_EXTRACT_GROUPS_ENABLED=false
 # AUTH_OIDC_GROUPS_CLAIM=groups
 
 # Uncomment to disable JAAS username / password authentication (enabled by default)

docs/how/auth/sso/configure-oidc-react.md

@@ -143,15 +143,15 @@ The default provisioning behavior can be customized using the following configs.
 # User and groups provisioning
 AUTH_OIDC_JIT_PROVISIONING_ENABLED=true
 AUTH_OIDC_PRE_PROVISIONING_REQUIRED=false
-AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true
+AUTH_OIDC_EXTRACT_GROUPS_ENABLED=false
 AUTH_OIDC_GROUPS_CLAIM=<your-groups-claim-name>
 ```
 
 - `AUTH_OIDC_JIT_PROVISIONING_ENABLED`: Whether DataHub users & groups should be provisioned on login if they do not exist. Defaults to true.
 - `AUTH_OIDC_PRE_PROVISIONING_REQUIRED`: Whether the user should already exist in DataHub when they login, failing login if they are not. This is appropriate for situations in which users and groups are batch ingested and tightly controlled inside your environment. Defaults to false.
   the userNameClaim field will contain an email address, and we want to omit the domain name suffix of the email, we can specify a custom
   regex to do so. (e.g. `([^@]+)`)
-- `AUTH_OIDC_EXTRACT_GROUPS_ENABLED`: Only applies if `AUTH_OIDC_JIT_PROVISIONING_ENABLED` is set to true. This determines whether we should attempt to extract a list of group names from a particular claim in the OIDC attributes. Defaults to true. 
+- `AUTH_OIDC_EXTRACT_GROUPS_ENABLED`: Only applies if `AUTH_OIDC_JIT_PROVISIONING_ENABLED` is set to true. This determines whether we should attempt to extract a list of group names from a particular claim in the OIDC attributes. Note that if this is enabled, each login will re-sync group membership with the groups in your Identity Provider, clearing the group membership that has been assigned through the DataHub UI. Enable with care! Defaults to false.
 - `AUTH_OIDC_GROUPS_CLAIM`: Only applies if `AUTH_OIDC_EXTRACT_GROUPS_ENABLED` is set to true. This determines which OIDC claim will contain a list of string group names. Defaults to 'groups'