From d82d03a1d3c37c98bf70ae982df51b50d140826b Mon Sep 17 00:00:00 2001
From: linoman <2051016+linoman@users.noreply.github.com>
Date: Mon, 31 Mar 2025 22:42:07 +0200
Subject: [PATCH] SCIM: Update authinfoquery (#103123)

* Rewrite mismatched externalUID error message

* Update AuhtInfo if user exists
---
 pkg/services/authn/authnimpl/sync/user_sync.go | 7 ++++++-
 pkg/services/login/authinfoimpl/store.go       | 9 +++++----
 pkg/services/login/model.go                    | 9 +++++----
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/pkg/services/authn/authnimpl/sync/user_sync.go b/pkg/services/authn/authnimpl/sync/user_sync.go
index 2f55c3a9cac..60539ff6b3d 100644
--- a/pkg/services/authn/authnimpl/sync/user_sync.go
+++ b/pkg/services/authn/authnimpl/sync/user_sync.go
@@ -48,7 +48,7 @@ var (
 	)
 	errMismatchedExternalUID = errutil.Unauthorized(
 		"user.sync.mismatched-externalUID",
-		errutil.WithPublicMessage("Mismatched externalUID"),
+		errutil.WithPublicMessage("Mismatched provisioned identity"),
 	)
 	errEmptyExternalUID = errutil.Unauthorized(
 		"user.sync.empty-externalUID",
@@ -134,6 +134,11 @@ func (s *UserSync) SyncUserHook(ctx context.Context, id *authn.Identity, _ *auth
 		}
 	}
 
+	if usr.IsProvisioned && id.ExternalUID != userAuth.ExternalUID {
+		s.log.Error("mismatched externalUID", "provisioned_externalUID", userAuth.ExternalUID, "identity_externalUID", id.ExternalUID)
+		return errMismatchedExternalUID.Errorf("externalUID mistmatch")
+	}
+
 	syncUserToIdentity(usr, id)
 	return nil
 }
diff --git a/pkg/services/login/authinfoimpl/store.go b/pkg/services/login/authinfoimpl/store.go
index 84c405bf276..3d8dcd6c39f 100644
--- a/pkg/services/login/authinfoimpl/store.go
+++ b/pkg/services/login/authinfoimpl/store.go
@@ -151,10 +151,11 @@ func (s *Store) SetAuthInfo(ctx context.Context, cmd *login.SetAuthInfoCommand)
 
 func (s *Store) UpdateAuthInfo(ctx context.Context, cmd *login.UpdateAuthInfoCommand) error {
 	authUser := &login.UserAuth{
-		UserId:     cmd.UserId,
-		AuthModule: cmd.AuthModule,
-		AuthId:     cmd.AuthId,
-		Created:    GetTime(),
+		UserId:      cmd.UserId,
+		AuthModule:  cmd.AuthModule,
+		AuthId:      cmd.AuthId,
+		Created:     GetTime(),
+		ExternalUID: cmd.ExternalUID,
 	}
 
 	if cmd.OAuthToken != nil {
diff --git a/pkg/services/login/model.go b/pkg/services/login/model.go
index 979a89d6fb2..dbcde8d4bac 100644
--- a/pkg/services/login/model.go
+++ b/pkg/services/login/model.go
@@ -81,10 +81,11 @@ type SetAuthInfoCommand struct {
 }
 
 type UpdateAuthInfoCommand struct {
-	AuthModule string
-	AuthId     string
-	UserId     int64
-	OAuthToken *oauth2.Token
+	AuthModule  string
+	AuthId      string
+	UserId      int64
+	OAuthToken  *oauth2.Token
+	ExternalUID string
 }
 
 type DeleteAuthInfoCommand struct {