#4941 - Mapping OIDC groups to INCEpTION's internal roles

[reckart]

What's in the PR
This PR contains the feature allowing to map OAuth2 groups with INCEpTION roles, as described in the corresopnding feaure request

How to test manually

1. Run a local Keycloak, with a dedicated user and 4 groups associated to that user :

• INCEPTION_ADMIN
• INCEPTION_USER
• INCEPTION_PROJECT_CREATOR
• INCEPTION_REMOTE

2. Add the following lines to your settings.properties file, inside your INCEpTION home directory :

   # OAuth2 groups mapping settings
   oauth2-groups.enabled=true
   oauth2-groups.admin=/INCEPTION_ADMIN
   oauth2-groups.user=/INCEPTION_USER
   oauth2-groups.project-creator=/INCEPTION_PROJECT_CREATOR
   oauth2-groups.remote=/INCEPTION_REMOTE
   

3. Build and run an INCEpTION instance from this branch
4. Try to login via OAuth2, and observe that the newly created user is bind to all the INCEpTION roles, as mapped in the settings.properties file. You can play with the mapping/groups to test the behavior.

Note : :

• The roles are mapped at the user's creation and at every connections
• If the feature is enabled and the user isn't in any group mapped to INCEpTION roles, and AccessDeniedException will be throw.
• The OAuth2AdaptaterImpl class was vefore calling to the PreAuthUtil class, whereas it's specified in the documentation that the External PreAuth feature isn't compatible with OAuth2 authentication. I made a dedicated OAuth2Utils class that contains a method that maps the OAuth2 groups if the mapping feature is enabled, or just adds the USER INCEpTION role to the user if the mapping feature is disabled.
• Corresponding properties have been added with a native SpringBoot @Configuration annotation.

Automatic testing

• The test class OAuth2UtilsTest contains a set of unit tests

• PR includes unit tests

Documentation

• I can do the documentation as well if the feature is validated.

• PR updates documentation

I'm of course open to feedback and willing to modify the implementation if needed ;)

Supersedes #4982 because GH actions somehow don't work on that one.

[Copilot]

Pull request overview

This PR implements OAuth2 group-to-role mapping functionality for INCEpTION, allowing OAuth2/OIDC groups from identity providers to be mapped to INCEpTION's internal roles (ADMIN, USER, PROJECT_CREATOR, REMOTE). The feature is configurable via settings.properties and can be enabled/disabled. When disabled, users default to the USER role as before.

Key changes:

• Introduced new OAuth2Utils class to handle OAuth2 group-to-role mapping with configurable properties
• Modified OAuth2AdapterImpl to use the new role mapping logic instead of PreAuthUtils
• Added comprehensive unit tests for the role mapping functionality

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
inception/inception-security/src/main/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2Utils.java	New configuration properties class handling OAuth2 group-to-role mapping logic
inception/inception-security/src/main/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2AdapterImpl.java	Updated to use OAuth2Utils for role assignment during user creation and login
inception/inception-security/src/test/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2UtilsTest.java	New test class with unit tests for role mapping scenarios
.github/workflows/maven.yml	Added Git debug trace configuration (appears to be leftover debugging)
.gitattributes	Added binary file type specifications for gif, pptx, and zip files
inception/inception-app-webapp/src/test/java/de/tudarmstadt/ukp/inception/db/InceptionHsqldbIntegrationTest.java	Minor formatting changes with trailing whitespace

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The matchOauth2groupToRole method uses multiple independent if statements, which means it will only match the first configured role even if empty strings are configured for other roles. Since StringUtils.equals returns true when both arguments are empty strings, an empty configuration value (e.g., security.oauth.roles.admin=) will match and add a role incorrectly.

Consider adding null/empty checks before the StringUtils.equals calls:

if (StringUtils.isNotBlank(OAUTH2_ADMIN_ROLE) && StringUtils.equals(oauth2group, OAUTH2_ADMIN_ROLE)) {
    userRoles.add(Role.ROLE_ADMIN);
}

Suggested change

	if (StringUtils.equals(oauth2group, OAUTH2_ADMIN_ROLE)) {
	userRoles.add(Role.ROLE_ADMIN);
	}
	if (StringUtils.equals(oauth2group, OAUTH2_USER_ROLE)) {
	userRoles.add(Role.ROLE_USER);
	}
	if (StringUtils.equals(oauth2group, OAUTH2_PROJECT_CREATOR_ROLE)) {
	userRoles.add(Role.ROLE_PROJECT_CREATOR);
	}
	if (StringUtils.equals(oauth2group, OAUTH2_REMOTE_ROLE)) {
	if (StringUtils.isNotBlank(OAUTH2_ADMIN_ROLE) && StringUtils.equals(oauth2group, OAUTH2_ADMIN_ROLE)) {
	userRoles.add(Role.ROLE_ADMIN);
	}
	if (StringUtils.isNotBlank(OAUTH2_USER_ROLE) && StringUtils.equals(oauth2group, OAUTH2_USER_ROLE)) {
	userRoles.add(Role.ROLE_USER);
	}
	if (StringUtils.isNotBlank(OAUTH2_PROJECT_CREATOR_ROLE) && StringUtils.equals(oauth2group, OAUTH2_PROJECT_CREATOR_ROLE)) {
	userRoles.add(Role.ROLE_PROJECT_CREATOR);
	}
	if (StringUtils.isNotBlank(OAUTH2_REMOTE_ROLE) && StringUtils.equals(oauth2group, OAUTH2_REMOTE_ROLE)) {

[Copilot]

Remove debug print statement from test. Use proper logging or assertions instead of System.out.println.

Suggested change

System.out.println(ade.getClass().getSimpleName() + " was thrown");

[Copilot]

[nitpick] These debug environment variables (GIT_TRACE and GIT_CURL_VERBOSE) appear to be leftover debugging configuration and should be removed before merging. They increase log verbosity unnecessarily in the CI pipeline.

Suggested change

	env:
	GIT_TRACE: 1
	GIT_CURL_VERBOSE: 1

[Copilot]

The tests don't cover the scenario where security.oauth.roles.enabled=false (the default behavior). Add a test to verify that when role mapping is disabled, users are assigned the default ROLE_USER role regardless of their OAuth2 groups.

[Copilot]

The test name thatUnauthorizedExceptionIsThrownIfNoRoleIsMapped is inaccurate. The code throws AccessDeniedException, not an "Unauthorized" exception. Consider renaming to thatAccessDeniedExceptionIsThrownIfNoRoleIsMapped or thatExceptionIsThrownWhenUserHasNoGroups.

Suggested change

	void thatUnauthorizedExceptionIsThrownIfNoRoleIsMapped() {
	void thatAccessDeniedExceptionIsThrownIfNoRoleIsMapped() {

[Copilot]

The class name OAuth2Utils suggests a utility class with static helper methods, but it's actually a Spring configuration properties class. Consider renaming to follow the codebase convention of appending PropertiesImpl (e.g., OAuth2RolesPropertiesImpl) and having it implement an interface (e.g., OAuth2RolesProperties), as seen with LoginPropertiesImpl, SecurityPropertiesImpl, etc.

[Copilot]

Instead of using a try-catch block with fail(), use JUnit 5's assertThrows for cleaner exception testing:

assertThrows(AccessDeniedException.class, () -> 
    OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User)
);

This is more idiomatic and removes the need for the return statement and fail call.

[Copilot]

The error message is ambiguous. It states "doesn't have any roles" but what it actually means is "doesn't have the groups claim or the claim is empty". Consider making it clearer:

throw new AccessDeniedException("OAuth2 roles mapping is enabled, but user ["
    + aUser.getUsername() + "] has no groups in the '" + OAUTH2_ROLES_CLAIM + "' claim");

Suggested change

	+ aUser.getUsername() + "] doesn't have any roles, or the corresponding claim is empty");
	+ aUser.getUsername() + "] does not have the required claim '" + OAUTH2_ROLES_CLAIM
	+ "', or the claim is empty");

[Copilot]

Add a test to verify that a user can have multiple roles when they belong to multiple OAuth2 groups (e.g., both ROLE_USER and ROLE_PROJECT_CREATOR). This is an important use case that should be explicitly tested.

[Copilot]

The OAuth2Utils class has several architectural issues:

1. Anti-pattern: Using static fields with Spring configuration: The class uses both @Configuration and @ConfigurationProperties annotations with static fields. Static fields are set via instance methods (setters), which works but is not thread-safe and violates Spring best practices. Configuration properties classes should use instance fields.

2. Redundant annotations: Both @Value and @ConfigurationProperties are used together, which is unnecessary. When using @ConfigurationProperties(prefix = "security.oauth.roles"), Spring automatically binds properties to instance fields via setters without needing @Value annotations.

3. Missing from SecurityAutoConfiguration: The class is not registered in SecurityAutoConfiguration.java's @EnableConfigurationProperties list, which means it may not be properly initialized as a Spring configuration properties bean.

Recommended approach:

• Remove the @Configuration annotation (not needed for properties classes)
• Change all static fields to instance fields
• Remove all @Value annotations (redundant with @ConfigurationProperties)
• Add OAuth2Utils.class to @EnableConfigurationProperties in SecurityAutoConfiguration.java
• Inject OAuth2Utils as a dependency in OAuth2AdapterImpl rather than calling static methods
• Follow the pattern used by other properties classes like LoginPropertiesImpl or SecurityPropertiesImpl