feat(authorization): OAuth2 Group Sync

[MisterErwin]

Add the option to sync groups via OAuth2 SSO.
If enabled, the configured scope is requested and
consequently used to retrieve the group-memberships.

Closes: #837

[MisterErwin]

Sorry in case I didn't follow the versioning changes from the contributing document, but it looks like that part of the contributing guidelines might be outdated, as I couldn't find an example in the recent merged PRs.

[Copilot]

Pull request overview

Adds optional OAuth2-based group synchronization during SSO login so LibreBooking users can be assigned to existing LibreBooking groups based on IdP-provided group membership claims (Issue #837).

Changes:

• Introduces a new authentication config key to enable/disable OAuth2 group sync and specify the scope/claim used.
• Appends the configured groups scope to the OAuth2 authorization request scope.
• Passes group membership data from the OAuth2 userinfo response into the user synchronization/registration flow and updates docs.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
lib/Config/ConfigKeys.php	Adds a new config key definition for OAuth2 groups syncing.
docs/source/Oauth2-Configuration.rst	Updates OAuth2 configuration example to include the new setting.
docs/source/ADVANCED-CONFIGURATION.rst	Documents the new advanced config key for OAuth2 group sync.
Presenters/LoginPresenter.php	Updates OAuth2 authorization URL generation to request the groups scope when configured.
Presenters/Authentication/ExternalAuthLoginPresenter.php	Extracts group memberships from userinfo and passes them through to user synchronization.

[MisterErwin]

Since copilot co-authored commits violate the commitizen rules: Should I squash all commits of this branch & force-push?
(Or is this done anyway via GitHub's squash feature? :D )

[JohnVillalovos]

Since copilot co-authored commits violate the commitizen rules: Should I squash all commits of this branch & force-push? (Or is this done anyway via GitHub's squash feature? :D )

Yes it would be nice if you could squash down to one commit please. Thanks.

As the repository rules prevent being able to merge if the CI fails to pass.

[MisterErwin]

Yes it would be nice if you could squash down to one commit please. Thanks.

No worries & thanks for the reply.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[JohnVillalovos]

@MisterErwin Thanks for the PR. I'll try to find some time over the next few days to review this.

[JohnVillalovos]

What if used your new config option and it has a default value of 'openid email profile' and then document about adding groups to the scope. Basically let people do what they want with that value.

And then it what will be used as the value for scope in the params. I think it might simplify things.

[MisterErwin]

What if used your new config option and it has a default value of 'openid email profile' and then document about adding groups to the scope. Basically let people do what they want with that value.

And then it what will be used as the value for scope in the params. I think it might simplify things.

We also require the groups key again when retrieving the user's groups from their userinfo here.

So we would need the groups part as an individual config anyhows.
Although it might be cleaner to seperate the scope groups (and here we could use your suggestion to make it cleaner) and user-profile claim(?) groups configs.

I'll try to get around to this change (and fix the conflicts)

[MisterErwin]

I've (checks the avatar to make sure its really me) found some time to split the scope (aka openid email profile and possible including groups) and the claim/userprofile property.

From my PoV the only remaining/unresolved discussion is whether to add (mocked) tests for the OAuth2 flows

[JohnVillalovos]

I've (checks the avatar to make sure its really me) found some time to split the scope (aka openid email profile and possible including groups) and the claim/userprofile property.

From my PoV the only remaining/unresolved discussion is whether to add (mocked) tests for the OAuth2 flows

Thanks from a quick glance this looks better. I will do a more thorough review this week.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

[Copilot]

$groupsScope is populated from AUTHENTICATION_OAUTH2_GROUPS_CLAIM and then used as the claim key in the userinfo array. The variable name (and later $groupsClaim) makes this easy to misread as an OAuth2 scope. Rename to something like $groupsClaimKey/$groupsClaimName to match what the value represents (aligns with repo naming guidance).

[JohnVillalovos]

@MisterErwin

Here is Claude's review

Code Review: feat(authorization): OAuth2 Group Sync (9b1aa26)

Commit Message — ✅ Good

Follows conventional commit format, clear subject, references issue #837. One minor note: "authorization" in the scope is slightly off — this touches authentication (SSO login), not authorization (permissions). authentication or oauth2 would be a better scope.

---

What the PR does

1. Makes OAuth2 scopes configurable (oauth2.scope, default: openid email profile)
2. Adds optional group sync: if oauth2.groups.claim is set, reads the named claim from the userinfo response and syncs matching LibreBooking groups on login
3. Refactors processUserData() to call Synchronize() for all OAuth2 logins, not just new registrations

---

Issues

Critical — Behavioral regression in processUserData()

The refactoring in ExternalAuthLoginPresenter.php:312 changes behavior for all SSO providers (Google, Facebook, Microsoft, Keycloak, OAuth2), not just generic OAuth2:

Before:

if ($this->registration->UserExists($username, $email)) {
    // Just login — no Synchronize
    $this->authentication->Login(...);
} else {
    if ($allowRegistration) {
        $this->registration->Synchronize(...); // create user
        $this->authentication->Login(...);
    } else {
        $this->page->ShowError(...);
    }
}

After:

if ($allowRegistration || $this->registration->UserExists($username, $email)) {
    $this->registration->Synchronize(...); // ALWAYS called for existing users too
    $this->authentication->Login(...);
} else {
    $this->page->ShowError(...);
}

Synchronize() now runs UpdateUserFromLdapCommand (overwrites name, phone, org, title from the IdP) on every login for all existing users. For providers that don't provide phone/org/title (Google, Facebook, Microsoft), those fields will be reset to null on every login. Users who manually updated those fields in LibreBooking will have them silently wiped.

This change is likely intentional to make group sync work on existing users (not just at registration), but the commit message doesn't mention this broader impact, and it should at minimum be called out in the PR.

Variable naming confusion — ProcessOauth2SingleSignOn()

$groupsScope = Configuration::Instance()->GetKey(ConfigKeys::AUTHENTICATION_OAUTH2_GROUPS_CLAIM);

$groupsScope is reading the claim name, not a scope. "Scope" and "claim" are distinct OAuth2/OIDC concepts (scopes are requested during authorization; claims are fields in the token/userinfo response). This is confusing and will mislead future maintainers. Should be $groupsClaimName or $claimName.

Silent failure when claim is a string

if (is_array($groupsClaim)) {
    $groups = array_map('strval', $groupsClaim);
} else {
    $groups = null; // silently drops non-array claims
}

Some OIDC providers return a single group as a plain string rather than a ["group"] array. When that happens, groups are silently not synced. At minimum a Log::Warning(...) should be emitted so admins can debug why groups aren't syncing.

Inconsistency: no group sync for Keycloak

ProcessKeycloakSingleSignOn() does not get group sync, even though Keycloak is probably the most common provider that exposes groups. The feature should either be documented as OAuth2-only or extended to Keycloak.

No tests

processUserData() behavior changed significantly, and there are zero test additions. The existing tests (if any existed) won't cover the new paths. The tests/ directory has no files for ExternalAuthLoginPresenter.

---

What works well

• The scope-configurable feature (oauth2.scope) is clean and backwards compatible (default matches the previous hardcoded value).
• The config keys follow existing patterns exactly.
• Documentation is updated in both ADVANCED-CONFIGURATION.rst and Oauth2-Configuration.rst — the code example is helpful.
• .env.example and config/config.dist.php are both updated consistently.
• The group matching logic in Registration::GetUserGroups() (pre-existing) already supports LDAP-style DN group names as an alt-match, which is a nice bonus.
• array_map('strval', $groupsClaim) to ensure string types is defensive and correct.

---

Should this be merged upstream?

Not yet, as-is. The core feature (configurable scopes + group sync) is valuable and well-conceived. But before merging:

1. Fix the variable name $groupsScope → $groupsClaimName
2. Add a log warning (or info) when the groups claim exists but isn't an array
3. Document or mitigate the processUserData() behavioral change — either note it explicitly in the commit message/CHANGELOG and accept it, or guard the Synchronize() call so profile fields aren't overwritten for providers that don't supply them (e.g., skip UpdateUserFromLdapCommand when all non-email fields are null)
4. Add tests — at least for the new group-reading logic and the changed processUserData() branching
5. Consider Keycloak parity — either implement the same for Keycloak or document the limitation

[JohnVillalovos]

Codex review:

Review: 9b1aa26 feat(authorization): OAuth2 Group Sync

Merge Recommendation

Do not merge as-is.

The feature is useful and the changed surface area is fairly small, but the commit changes existing OAuth login behavior so that existing users now go through Registration::Synchronize() on every login. That exposes correctness issues in the group synchronization path, including a security-relevant permission retention case.

Findings

P1: Existing OAuth users can fail group sync when matched by email but not username

Presenters/Authentication/ExternalAuthLoginPresenter.php:321 now calls Synchronize() when either self-registration is enabled or UserExists($username, $email) returns true.

Registration::UserExists() treats username or email as a match, and UPDATE_USER_BY_USERNAME also updates by:

WHERE `username` = @username OR `email` = @email

However, the group update path then reloads the user only by the incoming username:

$updatedUser = $this->userRepository->LoadByUsername($user->Username());

If an existing LibreBooking account is matched by email while the OAuth preferred_username differs from the local username, the initial update can affect the right row, but group sync can load NullUser because LoadByUsername() only searches by the incoming username/email value. With group sync enabled, this can issue group updates with a null user id and break login.

Recommended fix: load the actual matched user by id, or otherwise carry the matched account identity through the sync path instead of reloading only by incoming username.

P1: A valid empty OAuth group claim does not clear existing memberships

ExternalAuthLoginPresenter maps an array groups claim directly into $groups, so an IdP response like:

{ "groups": [] }

should mean the user currently has no groups.

But Registration::GetUserGroups() returns null for an empty group list:

if (empty($userGroups)) {
    return null;
}

Synchronize() uses null to skip group updates, so an empty groups claim leaves the user's previous local groups intact. That is a permission retention bug for an authorization sync feature: removing someone from their last IdP group should remove their local group memberships.

Recommended fix: preserve the distinction between "group sync disabled / claim missing / claim malformed" and "claim present but empty." Empty-but-present should update the user to no matching groups.

Did This Behavior Change in the Commit?

Yes.

Before this commit, existing external-auth users were logged in without calling Synchronize():

if ($this->registration->UserExists($username, $email)) {
    $this->authentication->Login(...);
}

This commit changed the flow so existing users call Synchronize() before login:

if ($allowRegistration || $this->registration->UserExists($username, $email)) {
    $this->registration->Synchronize(...);
    $this->authentication->Login(...);
}

The email-match/username-mismatch issue is newly exposed by this commit. The underlying Registration::Synchronize() behavior already existed, but existing OAuth users did not hit it before.

The empty-group behavior also existed in shared registration code, but OAuth2 group sync is introduced by this commit, so this is a new OAuth2 feature bug.

[JohnVillalovos]

@MisterErwin

I think the AI reviews are raising valid points about how the behavior changes. And I'm concerned it could break authentication for some providers.

Please let me know what you think? Thanks.