Skip to content

Fix OIDC service inconsistencies with OAuth2 service #276

Description

@devondragon

Summary

During the RegistrationGuard SPI implementation (#271), several inconsistencies were found in DSOidcUserService compared to DSOAuth2UserService.

Issues

1. Missing .toLowerCase() on email lookup

DSOidcUserService.handleOidcLoginSuccess() line 76 does not normalize email case before findByEmail(), unlike the OAuth2 path which calls user.getEmail().toLowerCase() at line 88 of DSOAuth2UserService.

2. Missing audit event

registerNewOidcUser() does not publish an AuditEvent, unlike registerNewOAuthUser() which publishes an "OAuth2 Registration Success" audit event.

3. Missing @Transactional

DSOidcUserService has no @Transactional at class or method level, unlike DSOAuth2UserService which has @Transactional on both the class and the registerNewOAuthUser() method.

4. Missing loginHelperService call

OIDC loadUser() builds DSUserDetails directly without calling loginHelperService.userLoginHelper(), so lastActivityDate isn't updated and lockout check is skipped. The OAuth2 path correctly calls loginHelperService.userLoginHelper(dbUser).

Expected Behavior

Both services should behave consistently:

  • Normalize email to lowercase before lookup
  • Publish audit events on new user registration
  • Use @Transactional for database operations
  • Call loginHelperService.userLoginHelper() to update activity dates and check lockout

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions