Summary
During the RegistrationGuard SPI implementation (#271), several inconsistencies were found in DSOidcUserService compared to DSOAuth2UserService.
Issues
1. Missing .toLowerCase() on email lookup
DSOidcUserService.handleOidcLoginSuccess() line 76 does not normalize email case before findByEmail(), unlike the OAuth2 path which calls user.getEmail().toLowerCase() at line 88 of DSOAuth2UserService.
2. Missing audit event
registerNewOidcUser() does not publish an AuditEvent, unlike registerNewOAuthUser() which publishes an "OAuth2 Registration Success" audit event.
3. Missing @Transactional
DSOidcUserService has no @Transactional at class or method level, unlike DSOAuth2UserService which has @Transactional on both the class and the registerNewOAuthUser() method.
4. Missing loginHelperService call
OIDC loadUser() builds DSUserDetails directly without calling loginHelperService.userLoginHelper(), so lastActivityDate isn't updated and lockout check is skipped. The OAuth2 path correctly calls loginHelperService.userLoginHelper(dbUser).
Expected Behavior
Both services should behave consistently:
- Normalize email to lowercase before lookup
- Publish audit events on new user registration
- Use
@Transactional for database operations
- Call
loginHelperService.userLoginHelper() to update activity dates and check lockout
Summary
During the RegistrationGuard SPI implementation (#271), several inconsistencies were found in
DSOidcUserServicecompared toDSOAuth2UserService.Issues
1. Missing
.toLowerCase()on email lookupDSOidcUserService.handleOidcLoginSuccess()line 76 does not normalize email case beforefindByEmail(), unlike the OAuth2 path which callsuser.getEmail().toLowerCase()at line 88 ofDSOAuth2UserService.2. Missing audit event
registerNewOidcUser()does not publish anAuditEvent, unlikeregisterNewOAuthUser()which publishes an "OAuth2 Registration Success" audit event.3. Missing
@TransactionalDSOidcUserServicehas no@Transactionalat class or method level, unlikeDSOAuth2UserServicewhich has@Transactionalon both the class and theregisterNewOAuthUser()method.4. Missing
loginHelperServicecallOIDC
loadUser()buildsDSUserDetailsdirectly without callingloginHelperService.userLoginHelper(), solastActivityDateisn't updated and lockout check is skipped. The OAuth2 path correctly callsloginHelperService.userLoginHelper(dbUser).Expected Behavior
Both services should behave consistently:
@Transactionalfor database operationsloginHelperService.userLoginHelper()to update activity dates and check lockout