@@ -98,17 +98,31 @@ export class IamSessionApp {
9898 let existingUser = await this . userAuthentication . findUserForLogin ( {
9999 candidate : this . mapOIDCProfileToIdentity ( payload ) ,
100100 } ) ;
101- if ( existingUser ) {
102- return existingUser ;
101+ if ( ! existingUser ) {
102+ // Organizational account lookup by email address
103+ existingUser = await this . userAuthentication . findOrgOwnedUser ( {
104+ organizationId : payload . organizationId ,
105+ email : payload . claims . email ,
106+ } ) ;
107+ if ( existingUser ) {
108+ log . info ( "Found Org-owned user by email." , { email : payload ?. claims ?. email } ) ;
109+ }
103110 }
104111
105- // Organizational account lookup by email address
106- existingUser = await this . userAuthentication . findOrgOwnedUser ( {
107- organizationId : payload . organizationId ,
108- email : payload . claims . email ,
109- } ) ;
110- if ( existingUser ) {
111- log . info ( "Found Org-owned user by email." , { email : payload ?. claims ?. email } ) ;
112+ if ( existingUser ?. organizationId ) {
113+ const members = await this . orgService . listMembers ( existingUser . id , existingUser . organizationId ) ;
114+ if ( ! members . some ( ( m ) => m . userId === existingUser ?. id ) ) {
115+ // In case `createNewOIDCUser` failed to create a membership for this user,
116+ // let's try to fix the situation on the fly.
117+ // Also, if that step repeatedly fails, it would fail the login process earlier but
118+ // in a more consistent state.
119+ await this . orgService . addOrUpdateMember (
120+ existingUser . id ,
121+ existingUser . organizationId ,
122+ existingUser . id ,
123+ "member" ,
124+ ) ;
125+ }
112126 }
113127
114128 return existingUser ;
0 commit comments