Skip to content

Allow OIDC to update EMAIL and username (if mapped) #21386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
uwwint wants to merge 5 commits into
base: dev
Choose a base branch
from
Draft

Allow OIDC to update EMAIL and username (if mapped) #21386

uwwint wants to merge 5 commits into from

Conversation

@uwwint
Copy link
Contributor

@uwwint uwwint commented Dec 3, 2025

(Please replace this header with a description of your pull request. Please include BOTH what you did and why you made the changes. The "why" may simply be citing a relevant Galaxy issue.)
(If fixing a bug, please add any relevant error or traceback)
(For UI components, it is recommended to include screenshots or screencasts)

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. create an OIDC only galaxy
    2. register a user
    3. update the users email / username
    4. login into galaxy with that user:
      The username and email are updated.

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@github-actions github-actions bot added area/UI-UX area/API area/auth Authentication and authorization labels Dec 3, 2025
@uwwint uwwint force-pushed the feature/oidc-update branch from 01edf2c to 0455da9 Compare December 3, 2025 05:15
@uwwint
Copy link
Contributor Author

uwwint commented Dec 3, 2025

@nuwang Can you help with this one?

nuwang
nuwang reviewed Dec 4, 2025
View reviewed changes
Copy link
Member

@nuwang nuwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I can see, this is always syncing when logging in through an OIDC client? However, since Galaxy allows multiple accounts to be connected, I'm not sure that behaviour is desirable, since users may have one primary email they prefer but have secondary accounts connected.

IMO, I think we should simplify this to use the same conditions as here: #21356
That is, update account only if enable_account_interface: false and only one login provider is configured. That way, we also don't need toast messages and can simplify that bit too.

@nuwang nuwang requested a review from ahmedhamidawan December 4, 2025 16:00
@uwwint
Copy link
Contributor Author

uwwint commented Dec 5, 2025

Agree @nuwang. Do you want me to rebase on #21356 or wait for the merge?

@nuwang
Copy link
Member

nuwang commented Dec 5, 2025

The enable_account_interface flag is alrrady presenr so i dont think we need #21356 for this.

nuwang
nuwang reviewed Dec 5, 2025
View reviewed changes
@ahmedhamidawan ahmedhamidawan changed the title feat: allow OIDC to update EMAIL and username (if mapped) Allow OIDC to update EMAIL and username (if mapped) Dec 5, 2025
@uwwint uwwint force-pushed the feature/oidc-update branch from 0455da9 to 6ec4ea2 Compare January 28, 2026 22:26
@uwwint
Copy link
Contributor Author

uwwint commented Jan 29, 2026

@nuwang Done

nuwang
nuwang reviewed Feb 3, 2026
View reviewed changes
Copy link
Member

@nuwang nuwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments/suggestions:

  1. We can't auto-update the username/email since Galaxy could have multiple account associations, and that raises a question of, which the authoritative ones should be. Instead, I think we could just piggy back on the fixed_delegated_auth config setting - and auto-update the username/email if fixed_delegated_auth is on.  (we already use fixed_delegated_auth to auto-associate emails with no confirmation - and it essentially implies a trust relationship with the OIDC provider)
  2. That will also allow us to get rid of the toast message - which adds complexity
  3. We should also have an integration test - modelled after the tests here: https://github.com/nuwang/galaxy/blob/26f86934cb0ae0e003aaf871c2ae0ad4e266b0e4/test/integration/oidc/test_auth_oidc.py#L516

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nuwang nuwang nuwang left review comments

@ahmedhamidawan ahmedhamidawan Awaiting requested review from ahmedhamidawan

Assignees

No one assigned

Labels

area/API area/auth Authentication and authorization area/UI-UX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@uwwint @nuwang