From b22a4f8ea70d6319766377265daec99182ee589a Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Tue, 25 Jan 2022 16:59:37 +0100
Subject: [PATCH] Reuse user from session when issuing oa2 token

This way we keep user's roles in case the list was modified
by external-auth-provider role security
---
 auth/handlers/handle_oauth2.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/auth/handlers/handle_oauth2.go b/auth/handlers/handle_oauth2.go
index 25661e12c..fd6f452b5 100644
--- a/auth/handlers/handle_oauth2.go
+++ b/auth/handlers/handle_oauth2.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/lestrrat-go/jwx/jwk"
+	"github.com/spf13/cast"
 
 	"github.com/go-chi/jwtauth"
 	oauth2errors "github.com/go-oauth2/oauth2/v4/errors"
@@ -381,7 +382,9 @@ func (h AuthHandlers) handleTokenRequest(req *request.AuthReq, client *types.Aut
 			userID = userID[:i]
 		}
 
-		if user, err = h.UserService.FindByAny(suCtx, userID); err != nil {
+		if req.AuthUser != nil && req.AuthUser.User != nil && req.AuthUser.User.ID == cast.ToUint64(userID) {
+			user = req.AuthUser.User
+		} else if user, err = h.UserService.FindByAny(suCtx, userID); err != nil {
 			return h.tokenError(w, fmt.Errorf("could not generate token: %v", err))
 		}