diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java index 3e84a7bea6..60c1f504a1 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java @@ -480,8 +480,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ userFromDb = new UaaUser(getUserDatabase().retrieveUserPrototypeById(invitedUserId)); } + boolean isRegisteredIdpAuthentication = isRegisteredIdpAuthentication(request); + //we must check and see if the email address has changed between authentications - if (haveUserAttributesChanged(userFromDb, userFromRequest) && isRegisteredIdpAuthentication(request)) { + if (haveUserAttributesChanged(userFromDb, userFromRequest) && isRegisteredIdpAuthentication) { logger.debug("User attributed have changed, updating them."); userFromDb = userFromDb.modifyAttributes(email, userFromRequest.getGivenName(), @@ -493,8 +495,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ userModified = true; } - ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(userFromDb, userModified, userFromRequest.getAuthorities(), true); - publish(event); + if (isRegisteredIdpAuthentication) { + ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(userFromDb, userModified, userFromRequest.getAuthorities(), true); + publish(event); + } return getUserDatabase().retrieveUserById(userFromDb.getId()); } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java index 6600d4e69a..754793bf8d 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java @@ -7,6 +7,7 @@ import org.apache.commons.lang3.RandomStringUtils; import org.cloudfoundry.identity.uaa.authentication.AccountNotPreCreatedException; import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication; +import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent; import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent; import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent; import org.cloudfoundry.identity.uaa.authentication.manager.NewUserAuthenticatedEvent; @@ -908,6 +909,37 @@ void updateShadowUser_IfAlreadyExists() { assertEquals(OriginKeys.UAA, uaaUser.getZoneId()); } + @Test + void publishExternalGroupAuthorizationEvent_skippedIf_notIsRegisteredIdpAuthentication() { + claims.put("user_name", "12345"); + claims.put("origin", "the_origin"); + claims.put("iss", UAA_ISSUER_URL); + + UaaUser existingShadowUser = new UaaUser(new UaaUserPrototype() + .withUsername("12345") + .withPassword("") + .withEmail("marissa_old@bloggs.com") + .withGivenName("Marissa_Old") + .withFamilyName("Bloggs_Old") + .withId("user-id") + .withOrigin("the_origin") + .withZoneId("uaa") + .withAuthorities(UaaAuthority.USER_AUTHORITIES)); + + userDatabase.addUser(existingShadowUser); + + CompositeToken token = getCompositeAccessToken(); + String idToken = token.getIdTokenValue(); + xCodeToken = new ExternalOAuthCodeToken(null, null, null, idToken, null, null); + + externalOAuthAuthenticationManager.authenticate(xCodeToken); + + ArgumentCaptor userArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class); + verify(publisher, times(1)).publishEvent(userArgumentCaptor.capture()); + assertEquals(1, userArgumentCaptor.getAllValues().size()); + assertTrue(userArgumentCaptor.getAllValues().get(0) instanceof IdentityProviderAuthenticationSuccessEvent); + } + @Test void invitedUser_becomesVerifiedOnAccept() { setUpInvitedUser();