-
Bug
-
Resolution: Done
-
Undefined
-
None
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
organizations
Describe the bug
User (that email domain matches domain already used in any organizations) without any organization assigned gets organization claim in access token witch is in my opinion very very unwanted situation.
Issue occurs when we create user with email domain that is assigned to organization. Then even so user is not a part of the organization gets organization claim in access token. (user has no organization and organization has no users).
Wrong claim is assigned only using client with real application - evaluation tool for that particular client works correctly.
Version
nightly
Regression
[x] The issue is a regression
Expected behavior
User with no organization has no organization claim - even if its email's domain name is the same as one used in existing organization.
Actual behavior
User with no organization gets organization token claim with real organization data.
How to Reproduce?
1. Create realm
2. Enable organizations
3. Set email as username
4. Modify client scope "organization" in client scopes:
1) Set as default
!Image
2) Modify default mapper 'organizations' in client scope
Before:
After:
5. Create client that will be used by real application.
6. Ensure that scope organization is default
7. Create organizations
9. Create user with mail that is used by one of organizations (do not assign to any organization)
!Image
Org also has no users:
!Image
11. Log in to application
12. Token contains organization based on domain while user is not assigned to any domain
14. Evaluation tool works correctly
(wrote all steps I've done)
Anything else?
No response
- links to
