Currently, GeoNode employs a strict, reconciliation-based approach to synchronizing user groups during the social login flow (OIDC/Azure). While this ensures a 1:1 mirror with the Identity Provider (IdP), it lacks the flexibility required for environments where group memberships may be managed partially or entirely within GeoNode.
More specifically, the issue comes from the _update_user_groups_from_social method during the pre_social_login flow in the GenericOpenIDConnectAdapter class.
Currently, this logic is destructive: regardless of what Azure returns, the code removes the user from all local GeoNode groups before attempting to re-sync. If the provider does not send explicit group claims, the user is left with no groups, effectively wiping any manual assignments made by the GeoNode Admin.
Proposed solution
To resolve the destructive nature of the current OIDC group sync, we propose introducing a configurable setting, SOCIALACCOUNT_SYNC_USER_GROUPS_ON_LOGIN, allowing administrators to choose the logic that fits their organizational policy:
- Choice 1:
FULL_SYNC (The current and default approach) it maintains the existing behavior for backward compatibility, wiping all local groups on every login to match the provider's token exactly.
- Choice 2:
SAFE_SYNC : This approach acts as a safety net. If Azure sends no group data, GeoNode skips the synchronization entirely. However, if Azure sends at least one group, a full "wipe-and-sync" occurs to ensure the identity provider remains the absolute source of truth.
- Choice 3:
NO_SYNC : This approach, completely decouples GeoNode group memberships from the Social Provider. In this mode, Azure/OIDC is used exclusively for authentication (identifying the user), while groups are managed by GeoNode. No groups are added or removed during the login flow, ensuring total stability and manual control over user permissions.
By moving to a method-based setting, we provide a more flexible approach to the Social / GeoNode sync in terms of the groups. This allows us to solve the immediate data-loss issue for users with missing OIDC claims while still supporting high-security environments that require strict 1:1 group mirroring.
As the default configuration, the current approach FULL_SYNC will be persisted.
Currently, GeoNode employs a strict, reconciliation-based approach to synchronizing user groups during the social login flow (OIDC/Azure). While this ensures a 1:1 mirror with the Identity Provider (IdP), it lacks the flexibility required for environments where group memberships may be managed partially or entirely within GeoNode.
More specifically, the issue comes from the _update_user_groups_from_social method during the
pre_social_loginflow in theGenericOpenIDConnectAdapterclass.Currently, this logic is destructive: regardless of what Azure returns, the code removes the user from all local GeoNode groups before attempting to re-sync. If the provider does not send explicit group claims, the user is left with no groups, effectively wiping any manual assignments made by the GeoNode Admin.
Proposed solution
To resolve the destructive nature of the current OIDC group sync, we propose introducing a configurable setting,
SOCIALACCOUNT_SYNC_USER_GROUPS_ON_LOGIN, allowing administrators to choose the logic that fits their organizational policy:FULL_SYNC(The current and default approach) it maintains the existing behavior for backward compatibility, wiping all local groups on every login to match the provider's token exactly.SAFE_SYNC: This approach acts as a safety net. If Azure sends no group data, GeoNode skips the synchronization entirely. However, if Azure sends at least one group, a full "wipe-and-sync" occurs to ensure the identity provider remains the absolute source of truth.NO_SYNC: This approach, completely decouples GeoNode group memberships from the Social Provider. In this mode, Azure/OIDC is used exclusively for authentication (identifying the user), while groups are managed by GeoNode. No groups are added or removed during the login flow, ensuring total stability and manual control over user permissions.By moving to a method-based setting, we provide a more flexible approach to the Social / GeoNode sync in terms of the groups. This allows us to solve the immediate data-loss issue for users with missing OIDC claims while still supporting high-security environments that require strict 1:1 group mirroring.
As the default configuration, the current approach
FULL_SYNCwill be persisted.