Summary
After a successful online sign-in via the OIDC broker, every subsequent offline sign-in by the same user fails immediately with:
authd[…]: failed to update user "<user>": failed to add user to local group: \
UNIQUE constraint failed: users_to_local_groups.uid, users_to_local_groups.group_name
The user is denied authentication at GDM and the local groups configured under owner_extra_groups (and/or extra_groups) are silently dropped from the daemon's group table. Reproducible deterministically with nmcli networking off after the first online sign-in.
Versions
authd deb 0.5.5 from ppa:ubuntu-enterprise-desktop/authd on Ubuntu 24.04.3authd-oidc snap 0.4.0 from stable (also reproduces against latest/edge as of 2026-04-28)- Identity provider: Okta (Org Authorization Server)
Configuration that triggers it
Single-user laptop, /var/snap/authd-oidc/current/broker.conf:
[oidc]
issuer = https://<tenant>.oktapreview.com
client_id = <client_id>
extra_scopes = offline_access
[users]
allowed_users = OWNER
owner_extra_groups = sudo, docker, dialout
Reproducer
-
Configure broker.conf as above. Sign in successfully online as <user> via GDM. JIT provisioning works; id <user> shows the user with sudo, docker, dialout. The daemon's users_to_local_groups table contains exactly:
<uid>|dialout
<uid>|docker
<uid>|sudo
-
Sign out. nmcli networking off. Sign in again at GDM with the same user.
-
Expected: offline cached sign-in succeeds, id still shows the same group set.
Actual: GDM rejects with "Authentication failure". journalctl -u authd shows the UNIQUE constraint failed error above. The daemon then falls back to writing the user without the local groups, so on the next online sign-in id is missing sudo / docker / dialout until the broker cache is wiped and the user signs in online again.
Root cause
Broker.finishAuth in authd-oidc-brokers/internal/broker/broker.go unconditionally appends b.cfg.extraGroups and (when applicable) b.cfg.ownerExtraGroups to authInfo.UserInfo.Groups and then writes the result back to disk via CacheAuthInfo. The append is correct on the online path because the calling code resets authInfo.UserInfo.Groups = groups to a fresh provider response before reaching finishAuth, so the configured extras only ever appear once. On the offline path that reset is skipped (the getGroups call failed because there is no network), so authInfo is loaded from cache with the previous extras already present, and finishAuth appends them a second time.
The daemon's handleUsersToLocalGroupsUpdate does DELETE FROM users_to_local_groups WHERE uid = ?; INSERT … VALUES (?, ?), (?, ?), … inside one transaction. The duplicates introduced by the broker collide on the (uid, group_name) UNIQUE constraint intra-transaction, the whole INSERT rolls back, and the user ends up with no local groups (the DELETE half is also rolled back, but the broker keeps duplicating on every retry so the cache stays polluted).
Proposed fix
Two complementary fixes:
-
authd-oidc-brokers: deduplicate the configured extras against authInfo.UserInfo.Groups before appending. Trivial 15-line patch in Broker.finishAuth. PR follows.
-
authd (defence in depth): switch handleUsersToLocalGroupsUpdate to either an INSERT … ON CONFLICT DO NOTHING or to deduplicating the slice in the daemon before the bulk INSERT. Even if the broker is misbehaving, the daemon should not refuse to update the user's group list.
I have a working patch for (1) deployed in production for ~24h with no regressions. Happy to file (2) as a separate issue if useful.
Workaround for affected operators
Stop the broker, wipe the polluted cache, delete the stale rows for the affected user, restart:
sudo systemctl stop snap.authd-oidc.authd-oidc
sudo rm -rf /var/snap/authd-oidc/current/cache/*
sudo sqlite3 /var/lib/authd/authd.sqlite3 \
"DELETE FROM users_to_local_groups WHERE uid = (SELECT uid FROM users WHERE name = '<user>');"
sudo systemctl start snap.authd-oidc.authd-oidc
Then sign in once online (re-seeds the cache cleanly), then offline works. Until the broker patch lands, this needs to be repeated after every offline failure.
Summary
After a successful online sign-in via the OIDC broker, every subsequent offline sign-in by the same user fails immediately with:
The user is denied authentication at GDM and the local groups configured under
owner_extra_groups(and/orextra_groups) are silently dropped from the daemon's group table. Reproducible deterministically withnmcli networking offafter the first online sign-in.Versions
authddeb 0.5.5 fromppa:ubuntu-enterprise-desktop/authdon Ubuntu 24.04.3authd-oidcsnap 0.4.0 fromstable(also reproduces againstlatest/edgeas of 2026-04-28)Configuration that triggers it
Single-user laptop,
/var/snap/authd-oidc/current/broker.conf:Reproducer
Configure broker.conf as above. Sign in successfully online as
<user>via GDM. JIT provisioning works;id <user>shows the user withsudo,docker,dialout. The daemon'susers_to_local_groupstable contains exactly:Sign out.
nmcli networking off. Sign in again at GDM with the same user.Expected: offline cached sign-in succeeds,
idstill shows the same group set.Actual: GDM rejects with "Authentication failure".
journalctl -u authdshows theUNIQUE constraint failederror above. The daemon then falls back to writing the user without the local groups, so on the next online sign-inidis missingsudo/docker/dialoutuntil the broker cache is wiped and the user signs in online again.Root cause
Broker.finishAuthinauthd-oidc-brokers/internal/broker/broker.gounconditionally appendsb.cfg.extraGroupsand (when applicable)b.cfg.ownerExtraGroupstoauthInfo.UserInfo.Groupsand then writes the result back to disk viaCacheAuthInfo. The append is correct on the online path because the calling code resetsauthInfo.UserInfo.Groups = groupsto a fresh provider response before reachingfinishAuth, so the configured extras only ever appear once. On the offline path that reset is skipped (thegetGroupscall failed because there is no network), soauthInfois loaded from cache with the previous extras already present, andfinishAuthappends them a second time.The daemon's
handleUsersToLocalGroupsUpdatedoesDELETE FROM users_to_local_groups WHERE uid = ?; INSERT … VALUES (?, ?), (?, ?), …inside one transaction. The duplicates introduced by the broker collide on the(uid, group_name)UNIQUE constraint intra-transaction, the whole INSERT rolls back, and the user ends up with no local groups (the DELETE half is also rolled back, but the broker keeps duplicating on every retry so the cache stays polluted).Proposed fix
Two complementary fixes:
authd-oidc-brokers: deduplicate the configured extras againstauthInfo.UserInfo.Groupsbefore appending. Trivial 15-line patch inBroker.finishAuth. PR follows.authd(defence in depth): switchhandleUsersToLocalGroupsUpdateto either anINSERT … ON CONFLICT DO NOTHINGor to deduplicating the slice in the daemon before the bulk INSERT. Even if the broker is misbehaving, the daemon should not refuse to update the user's group list.I have a working patch for (1) deployed in production for ~24h with no regressions. Happy to file (2) as a separate issue if useful.
Workaround for affected operators
Stop the broker, wipe the polluted cache, delete the stale rows for the affected user, restart:
Then sign in once online (re-seeds the cache cleanly), then offline works. Until the broker patch lands, this needs to be repeated after every offline failure.