fix(auth): treat empty allowedEmailRegistrationDomains as no restrictions

[aji-aju]

Summary

• Fixes Empty allowedEmailRegistrationDomains blocks all OAuth self-signups #27178
• Add !allowedDomains.isEmpty() guard to AuthenticationCodeFlowHandler.getOrCreateOidcUser() so an empty allowedEmailRegistrationDomains array is treated as "no restrictions" instead of "block all domains"
• Add 3 unit tests covering empty, disallowed, and matching domain scenarios

Root Cause

PR #25391 introduced domain validation in the OAuth self-signup flow. The check treats [] (the JSON schema default) as "no domain is allowed", which is a regression — previously empty meant "no restrictions". Since 1.12, this field is no longer shown in the UI, making it impossible to fix without a direct API call.

Test plan

• getOrCreateOidcUserAllowsSignupWhenAllowedDomainsEmpty — empty [] allows signup (regression fix)
• getOrCreateOidcUserBlocksDisallowedDomain — explicit list blocks non-matching domain
• getOrCreateOidcUserAllowsMatchingDomain — explicit list allows matching domain
• All 46 existing tests pass

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Fixes a regression in the OAuth/OIDC self-signup flow where an empty allowedEmailRegistrationDomains configuration (schema default []) unintentionally blocked all registrations, restoring the intended “no restrictions” behavior.

Changes:

• Update AuthenticationCodeFlowHandler.getOrCreateOidcUser() to treat an empty allowedEmailRegistrationDomains set as “no restrictions”.
• Add unit tests covering empty-allowed-domains, disallowed-domain, and matching-domain scenarios.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java	Adds an isEmpty() guard so empty domain allowlists don’t block OAuth self-signup.
openmetadata-service/src/test/java/org/openmetadata/service/security/AuthenticationCodeFlowHandlerTest.java	Adds 3 unit tests validating the corrected domain-allowlist behavior.

[github-actions]

🟡 Playwright Results — all passed (24 flaky)

✅ 3594 passed · ❌ 0 failed · 🟡 24 flaky · ⏭️ 207 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	454	0	3	2
🟡 Shard 2	636	0	6	32
🟡 Shard 3	649	0	2	26
🟡 Shard 4	618	0	4	47
🟡 Shard 5	605	0	2	67
🟡 Shard 6	632	0	7	33

🟡 24 flaky test(s) (passed on retry)

• Features/Pagination.spec.ts › should test Database Schema Tables normal pagination (shard 1, 1 retry)
• Features/Pagination.spec.ts › should test pagination on Observability Alerts page (shard 1, 1 retry)
• Pages/UserCreationWithPersona.spec.ts › Create user with persona and verify on profile (shard 1, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › Admin: Complete export-import-validate flow (shard 2, 1 retry)
• Features/DataQuality/TestCaseIncidentPermissions.spec.ts › User with only VIEW cannot PATCH incidents (shard 2, 1 retry)
• Features/DataQuality/TestCaseResultPermissions.spec.ts › User with TEST_CASE.EDIT_ALL can see edit action on test case (shard 2, 1 retry)
• Features/DomainTierCertificationVoting.spec.ts › DataProduct - Certification assign, update, and remove (shard 2, 1 retry)
• Features/ExploreQuickFilters.spec.ts › search dropdown should work properly for quick filters (shard 2, 1 retry)
• Features/Permissions/GlossaryPermissions.spec.ts › Team-based permissions work correctly (shard 3, 1 retry)
• Flow/ExploreDiscovery.spec.ts › Should display deleted assets when showDeleted is checked and deleted is not present in queryFilter (shard 3, 1 retry)
• Pages/Customproperties-part2.spec.ts › entityReferenceList shows item count, scrollable list, no expand toggle (shard 4, 1 retry)
• Pages/Domains.spec.ts › Rename domain with owners and experts preserves assignments (shard 4, 1 retry)
• Pages/Entity.spec.ts › Inactive Announcement create & delete (shard 4, 1 retry)
• Pages/Entity.spec.ts › Glossary Term Add, Update and Remove (shard 4, 1 retry)
• Pages/ExploreTree.spec.ts › Verify Database and Database Schema available in explore tree (shard 5, 1 retry)
• Pages/Glossary.spec.ts › Delete Glossary and Glossary Term using Delete Modal (shard 5, 1 retry)
• Features/AutoPilot.spec.ts › Agents created by AutoPilot should be deleted (shard 6, 1 retry)
• Pages/Glossary.spec.ts › Column dropdown drag-and-drop functionality for Glossary Terms table (shard 6, 1 retry)
• Pages/HyperlinkCustomProperty.spec.ts › should display URL when no display text is provided (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Login.spec.ts › Refresh should work (shard 6, 1 retry)
• Pages/ProfilerConfigurationPage.spec.ts › Non admin user (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[gitar-bot]

Code Review ✅ Approved

Treats empty allowedEmailRegistrationDomains as no restrictions, allowing unrestricted email registration when the domain list is not configured. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Failed to cherry-pick changes to the 1.12.5 branch.
Please cherry-pick the changes manually.
You can find more details here.