OAuth federation not removing users from groups

[loelu]

Describe your question/
We have setup a federation to an OAuth source with the following user property mapping:

return {
    "username": info.get("email").split("@", 1)[0], 
    "email": info.get("email"), 
    "uid": info.get("user_id"), 
    "name": info.get("name"), 
    "groups": info.get("roles", []),
}

On the initial logging the groups are synced correctly. Non existing groups are created and the user is added to all groups in the roles attribute. However it seems like this sync is only happening on the initial login. If a user is removed from a group in the OAuth Source they are not removed from the group in authentik after their next login. The same behaviour is expected if I change for example how the username is set. It does not change after the initial logging, even if the logic is changed. Is this expected? Can this be configured?

Version and Deployment (please complete the following information):

• authentik version: 2024.12.3
• Deployment: helm

Additional context
Not sure if related to #6408 and #1644

[rissson]

Not related to LDAP issues. There is some code to handle removing groups created from sources, but if those groups existed previously, or are not directly linked to a source, then authentik cannot be 100% sure if it should remove those. https://github.com/goauthentik/authentik/blob/main/authentik/core/sources/flow_manager.py#L389

What are your sources settings? Specifically how are groups created and linked ("group matching mode" option).

[loelu]

I added the enrollment stage to the default-source-authentication flow so now the mapping logic is executed on every login. This solved the issue.
The group matching mode is set to "Link users on unique identifier"

I was also pleasantly surprised that authentik can differentiate between source groups and "local" groups in authentik. I was expecting that all group memberships are overridden on every sync, but the memberships to local groups are kept while memberships to source groups are removed. So nice work! :)

[rissson]

I added the enrollment stage to the default-source-authentication flow so now the mapping logic is executed on every login. This solved the issue. The group matching mode is set to "Link users on unique identifier"

Do you mean the User write stage? If so, then yes, there needs to be one for changes to be saved.

I was also pleasantly surprised that authentik can differentiate between source groups and "local" groups in authentik. I was expecting that all group memberships are overridden on every sync, but the memberships to local groups are kept while memberships to source groups are removed. So nice work! :)

Thank you!

[loelu]

Do you mean the User write stage? If so, then yes, there needs to be one for changes to be saved.

Yes exactly, I just used the default-source-enrollment-write stage, that's why I mixed it up