fix(auth): treat empty allowedEmailRegistrationDomains as no restrictions (#27178) (#27179)

aji-aju · claude · web-flow · commit 8533d1ec999a · 2026-04-09T17:02:33.000+05:30
Add isEmpty() guard so that an empty domain list does not block all OAuth self-signups. The JSON schema defaults this field to [], which previously meant "no restrictions" but started blocking every signup after the domain validation was introduced in #25391. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java
@@ -930,6 +930,7 @@ private User getOrCreateOidcUser(String userName, String email, Map<String, Obje
       // Validate email domain against allowed registration domains
       Set<String> allowedDomains = authorizerConfiguration.getAllowedEmailRegistrationDomains();
       if (allowedDomains != null
+          && !allowedDomains.isEmpty()
           && !allowedDomains.contains("all")
           && !allowedDomains.contains(domain)) {
         LOG.warn(
diff --git a/openmetadata-service/src/test/java/org/openmetadata/service/security/AuthenticationCodeFlowHandlerTest.java b/openmetadata-service/src/test/java/org/openmetadata/service/security/AuthenticationCodeFlowHandlerTest.java
@@ -57,6 +57,7 @@
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -1234,6 +1235,120 @@ void getOrCreateOidcUserUpdatesExistingUserFromAdminAndTeamClaims() throws Excep
     }
   }
 
+  @Test
+  void getOrCreateOidcUserAllowsSignupWhenAllowedDomainsEmpty() throws Exception {
+    AuthenticationCodeFlowHandler handler = newHandler();
+    AuthenticationConfiguration authConfig = new AuthenticationConfiguration();
+    authConfig.setEnableSelfSignup(true);
+    setField(handler, "authenticationConfiguration", authConfig);
+    AuthorizerConfiguration authorizer = authorizerConfiguration(Set.of());
+    authorizer.setAllowedEmailRegistrationDomains(new LinkedHashSet<>());
+    setField(handler, "authorizerConfiguration", authorizer);
+
+    try (MockedStatic<Entity> entity = mockStatic(Entity.class);
+        MockedStatic<UserUtil> userUtil = mockStatic(UserUtil.class)) {
+      entity
+          .when(
+              () ->
+                  Entity.getEntityByName(
+                      Entity.USER, "gmail-user", "id,roles,teams", Include.NON_DELETED))
+          .thenThrow(EntityNotFoundException.byName("gmail-user"));
+      User draftUser = new User();
+      userUtil
+          .when(() -> UserUtil.user("gmail-user", "gmail.com", "gmail-user"))
+          .thenReturn(draftUser);
+      userUtil.when(() -> UserUtil.assignTeamsFromClaim(draftUser, List.of())).thenReturn(false);
+      User persistedUser = new User();
+      persistedUser.setName("gmail-user");
+      userUtil.when(() -> UserUtil.addOrUpdateUser(draftUser)).thenReturn(persistedUser);
+
+      User user =
+          invokePrivate(
+              handler,
+              "getOrCreateOidcUser",
+              new Class<?>[] {String.class, String.class, Map.class},
+              "gmail-user",
+              "gmail-user@gmail.com",
+              Map.of());
+
+      assertEquals(persistedUser, user);
+    }
+  }
+
+  @Test
+  void getOrCreateOidcUserBlocksDisallowedDomain() throws Exception {
+    AuthenticationCodeFlowHandler handler = newHandler();
+    AuthenticationConfiguration authConfig = new AuthenticationConfiguration();
+    authConfig.setEnableSelfSignup(true);
+    setField(handler, "authenticationConfiguration", authConfig);
+    AuthorizerConfiguration authorizer = authorizerConfiguration(Set.of());
+    authorizer.setAllowedEmailRegistrationDomains(Set.of("corp.com"));
+    setField(handler, "authorizerConfiguration", authorizer);
+
+    try (MockedStatic<Entity> entity = mockStatic(Entity.class)) {
+      entity
+          .when(
+              () ->
+                  Entity.getEntityByName(
+                      Entity.USER, "outside-user", "id,roles,teams", Include.NON_DELETED))
+          .thenThrow(EntityNotFoundException.byName("outside-user"));
+
+      AuthenticationException exception =
+          assertThrows(
+              AuthenticationException.class,
+              () ->
+                  invokePrivate(
+                      handler,
+                      "getOrCreateOidcUser",
+                      new Class<?>[] {String.class, String.class, Map.class},
+                      "outside-user",
+                      "outside-user@gmail.com",
+                      Map.of()));
+
+      assertTrue(exception.getMessage().contains("Email domain not allowed"));
+    }
+  }
+
+  @Test
+  void getOrCreateOidcUserAllowsMatchingDomain() throws Exception {
+    AuthenticationCodeFlowHandler handler = newHandler();
+    AuthenticationConfiguration authConfig = new AuthenticationConfiguration();
+    authConfig.setEnableSelfSignup(true);
+    setField(handler, "authenticationConfiguration", authConfig);
+    AuthorizerConfiguration authorizer = authorizerConfiguration(Set.of());
+    authorizer.setAllowedEmailRegistrationDomains(Set.of("gmail.com"));
+    setField(handler, "authorizerConfiguration", authorizer);
+
+    try (MockedStatic<Entity> entity = mockStatic(Entity.class);
+        MockedStatic<UserUtil> userUtil = mockStatic(UserUtil.class)) {
+      entity
+          .when(
+              () ->
+                  Entity.getEntityByName(
+                      Entity.USER, "gmail-user", "id,roles,teams", Include.NON_DELETED))
+          .thenThrow(EntityNotFoundException.byName("gmail-user"));
+      User draftUser = new User();
+      userUtil
+          .when(() -> UserUtil.user("gmail-user", "gmail.com", "gmail-user"))
+          .thenReturn(draftUser);
+      userUtil.when(() -> UserUtil.assignTeamsFromClaim(draftUser, List.of())).thenReturn(false);
+      User persistedUser = new User();
+      persistedUser.setName("gmail-user");
+      userUtil.when(() -> UserUtil.addOrUpdateUser(draftUser)).thenReturn(persistedUser);
+
+      User user =
+          invokePrivate(
+              handler,
+              "getOrCreateOidcUser",
+              new Class<?>[] {String.class, String.class, Map.class},
+              "gmail-user",
+              "gmail-user@gmail.com",
+              Map.of());
+
+      assertEquals(persistedUser, user);
+    }
+  }
+
   @Test
   void handleCallbackReturnsErrorWhenProviderRespondsWithAuthenticationError() throws Exception {
     AuthenticationCodeFlowHandler handler = newHandler();
