🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804)

* feat: Add granular role-based permissions system with Entra ID integration - Implement RBAC with viewer/editor/owner roles using bitwise permissions - Add AccessRole, AclEntry, and Group models for permission management - Create PermissionService for core permission logic and validation - Integrate Microsoft Graph API for Entra ID user/group search - Add middleware for resource access validation with custom ID resolvers - Implement bulk permission updates with transaction support - Create permission management UI with people picker and role selection - Add public sharing capabilities for resources - Include database migration for existing agent ownership - Support hybrid local/Entra ID identity management - Add comprehensive test coverage for all new services chore: Update @librechat/data-schemas to version 0.0.9 and export common module in index.ts fix: Update userGroup tests to mock logger correctly and change principalId expectation from null to undefined * fix(data-schemas): use partial index for group idOnTheSource uniqueness Replace sparse index with partial filter expression to allow multiple local groups while maintaining unique constraint for external source IDs. The sparse option on compound indexes doesn't work as expected when one field is always present. * fix: imports in migrate-agent-permissions.js * chore(data-schemas): add comprehensive README for data schemas package - Introduced a detailed README.md file outlining the structure, architecture patterns, and best practices for the LibreChat Data Schemas package. - Included guidelines for creating new entities, type definitions, schema files, model factory functions, and database methods. - Added examples and common patterns to enhance understanding and usage of the package. * chore: remove unused translation keys from localization file * ci: fix existing tests based off new permission handling - Renamed test cases to reflect changes in permission checks being handled at the route level. - Updated assertions to verify that agents are returned regardless of user permissions due to the new permission system. - Adjusted mocks in AppService and PermissionService tests to ensure proper functionality without relying on actual implementations. * ci: add unit tests for access control middleware - Introduced tests for the `canAccessAgentResource` middleware to validate permission checks for agent resources. - Implemented tests for various scenarios including user roles, ACL entries, and permission levels. - Added tests for the `checkAccess` function to ensure proper permission handling based on user roles and permissions. - Utilized MongoDB in-memory server for isolated test environments. * refactor: remove unused mocks from GraphApiService tests * ci: enhance AgentFooter tests with improved mocks and permission handling - Updated mocks for `useWatch`, `useAuthContext`, `useHasAccess`, and `useResourcePermissions` to streamline test setup. - Adjusted assertions to reflect changes in UI based on agent ID and user roles. - Replaced `share-agent` component with `grant-access-dialog` in tests to align with recent UI updates. - Added tests for handling null agent data and permissions loading scenarios. * ci: enhance GraphApiService tests with MongoDB in-memory server - Updated test setup to use MongoDB in-memory server for isolated testing. - Refactored beforeEach to beforeAll for database connection management. - Cleared database before each test to ensure a clean state. - Retained existing mocks while improving test structure for better clarity. * ci: enhance GraphApiService tests with additional logger mocks - Added mock implementation for logger methods in GraphApiService tests to improve error and debug logging during test execution. - Ensured existing mocks remain intact while enhancing test coverage and clarity. * chore: address ESLint Warnings * - add cursor-based pagination to getListAgentsByAccess and update handler - add index on updatedAt and _id in agent schema for improved query performance * refactor permission service with reuse of model methods from data-schema package * - Fix ObjectId comparison in getListAgentsHandler using .equals() method instead of strict equality - Add findPubliclyAccessibleResources function to PermissionService for bulk public resource queries - Add hasPublicPermission function to PermissionService for individual resource public permission checks - Update getAgentHandler to use hasPublicPermission for accurate individual agent public status - Replace instanceProjectId-based global checks with isPublic property from backend in client code - Add isPublic property to Agent type definition - Add NODE_TLS_REJECT_UNAUTHORIZED debug setting to VS Code launch config * feat: add check for People.Read scope in searchContacts * fix: add roleId parameter to grantPermission and update tests for GraphApiService * refactor: remove problematic projection pipelines in getResourcePermissions for document db aws compatibility * feat: enhance agent permissions migration with DocumentDB compatibility and add dry-run script * feat: add support for including Entra ID group owners as members in permissions management + fix Group members paging * feat: enforce at least one owner requirement for permission updates and add corresponding localization messages * refactor: remove German locale (must be added via i18n) * chore: linting in `api/models/Agent.js` and removed unused variables * chore: linting, remove unused vars, and remove project-related parameters from `updateAgentHandler` * chore: address ESLint errors * chore: revert removal of unused vars for versioning --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
2026-01-28 13:16:13 +01:00 · 2025-06-20 18:03:58 -04:00 · 2025-06-20 18:03:58 -04:00 · 65c81955f0
commit 65c81955f0
parent 01e9b196bc
99 changed files with 11322 additions and 624 deletions
--- a/api/server/routes/accessPermissions.js
+++ b/api/server/routes/accessPermissions.js
@ -0,0 +1,62 @@
+const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
+const {
+  getUserEffectivePermissions,
+  updateResourcePermissions,
+  getResourcePermissions,
+  getResourceRoles,
+  searchPrincipals,
+} = require('~/server/controllers/PermissionsController');
+const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+
+const router = express.Router();
+
+// Apply common middleware
+router.use(requireJwtAuth);
+router.use(checkBan);
+router.use(uaParser);
+
+/**
+ * Generic routes for resource permissions
+ * Pattern: /api/permissions/{resourceType}/{resourceId}
+ */
+
+/**
+ * GET /api/permissions/search-principals
+ * Search for users and groups to grant permissions
+ */
+router.get('/search-principals', searchPrincipals);
+
+/**
+ * GET /api/permissions/{resourceType}/roles
+ * Get available roles for a resource type
+ */
+router.get('/:resourceType/roles', getResourceRoles);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}
+ * Get all permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId', getResourcePermissions);
+
+/**
+ * PUT /api/permissions/{resourceType}/{resourceId}
+ * Bulk update permissions for a specific resource
+ */
+router.put(
+  '/:resourceType/:resourceId',
+  canAccessResource({
+    resourceType: 'agent',
+    requiredPermission: PermissionBits.SHARE,
+    resourceIdParam: 'resourceId',
+  }),
+  updateResourcePermissions,
+);
+
+/**
+ * GET /api/permissions/{resourceType}/{resourceId}/effective
+ * Get user's effective permissions for a specific resource
+ */
+router.get('/:resourceType/:resourceId/effective', getUserEffectivePermissions);
+
+module.exports = router;
--- a/api/server/routes/agents/actions.js
+++ b/api/server/routes/agents/actions.js
@ -1,20 +1,15 @@
 const express = require('express');
 const { nanoid } = require('nanoid');
-const { actionDelimiter, SystemRoles, removeNullishValues } = require('librechat-data-provider');
+const { logger, PermissionBits } = require('@librechat/data-schemas');
+const { actionDelimiter, removeNullishValues } = require('librechat-data-provider');
 const { encryptMetadata, domainParser } = require('~/server/services/ActionService');
 const { updateAction, getActions, deleteAction } = require('~/models/Action');
 const { isActionDomainAllowed } = require('~/server/services/domains');
+const { canAccessAgentResource } = require('~/server/middleware');
 const { getAgent, updateAgent } = require('~/models/Agent');
-const { logger } = require('~/config');

 const router = express.Router();

-// If the user has ADMIN role
-// then action edition is possible even if not owner of the assistant
-const isAdmin = (req) => {
-  return req.user.role === SystemRoles.ADMIN;
-};
-
 /**
 * Retrieves all user's actions
 * @route GET /actions/
@ -23,9 +18,8 @@ const isAdmin = (req) => {
 */
 router.get('/', async (req, res) => {
  try {
-    const admin = isAdmin(req);
-    // If admin, get all actions, otherwise only user's actions
-    const searchParams = admin ? {} : { user: req.user.id };
+    // Get all actions for the user (admin permissions handled by middleware if needed)
+    const searchParams = { user: req.user.id };
    res.json(await getActions(searchParams));
  } catch (error) {
    res.status(500).json({ error: error.message });
@ -41,106 +35,110 @@ router.get('/', async (req, res) => {
 * @param {ActionMetadata} req.body.metadata - Metadata for the action.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/:agent_id', async (req, res) => {
-  try {
-    const { agent_id } = req.params;
+router.post(
+  '/:agent_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  async (req, res) => {
+    try {
+      const { agent_id } = req.params;

-    /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
-    const { functions, action_id: _action_id, metadata: _metadata } = req.body;
-    if (!functions.length) {
-      return res.status(400).json({ message: 'No functions provided' });
-    }
-
-    let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
-    const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
-    if (!isDomainAllowed) {
-      return res.status(400).json({ message: 'Domain not allowed' });
-    }
-
-    let { domain } = metadata;
-    domain = await domainParser(domain, true);
-
-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
-    }
-
-    const action_id = _action_id ?? nanoid();
-    const initialPromises = [];
-    const admin = isAdmin(req);
-
-    // If admin, can edit any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    // TODO: share agents
-    initialPromises.push(getAgent(agentQuery));
-    if (_action_id) {
-      initialPromises.push(getActions({ action_id }, true));
-    }
-
-    /** @type {[Agent, [Action|undefined]]} */
-    const [agent, actions_result] = await Promise.all(initialPromises);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for adding action' });
-    }
-
-    if (actions_result && actions_result.length) {
-      const action = actions_result[0];
-      metadata = { ...action.metadata, ...metadata };
-    }
-
-    const { actions: _actions = [], author: agent_author } = agent ?? {};
-    const actions = [];
-    for (const action of _actions) {
-      const [_action_domain, current_action_id] = action.split(actionDelimiter);
-      if (current_action_id === action_id) {
-        continue;
+      /** @type {{ functions: FunctionTool[], action_id: string, metadata: ActionMetadata }} */
+      const { functions, action_id: _action_id, metadata: _metadata } = req.body;
+      if (!functions.length) {
+        return res.status(400).json({ message: 'No functions provided' });
      }

-      actions.push(action);
-    }
-
-    actions.push(`${domain}${actionDelimiter}${action_id}`);
-
-    /** @type {string[]}} */
-    const { tools: _tools = [] } = agent;
-
-    const tools = _tools
-      .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
-      .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
-
-    // Force version update since actions are changing
-    const updatedAgent = await updateAgent(
-      agentQuery,
-      { tools, actions },
-      {
-        updatingUserId: req.user.id,
-        forceVersion: true,
-      },
-    );
-
-    // Only update user field for new actions
-    const actionUpdateData = { metadata, agent_id };
-    if (!actions_result || !actions_result.length) {
-      // For new actions, use the agent owner's user ID
-      actionUpdateData.user = agent_author || req.user.id;
-    }
-
-    /** @type {[Action]} */
-    const updatedAction = await updateAction({ action_id }, actionUpdateData);
-
-    const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
-    for (let field of sensitiveFields) {
-      if (updatedAction.metadata[field]) {
-        delete updatedAction.metadata[field];
+      let metadata = await encryptMetadata(removeNullishValues(_metadata, true));
+      const isDomainAllowed = await isActionDomainAllowed(metadata.domain);
+      if (!isDomainAllowed) {
+        return res.status(400).json({ message: 'Domain not allowed' });
      }
-    }

-    res.json([updatedAgent, updatedAction]);
-  } catch (error) {
-    const message = 'Trouble updating the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+      let { domain } = metadata;
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const action_id = _action_id ?? nanoid();
+      const initialPromises = [];
+
+      // Permissions already validated by middleware - load agent directly
+      initialPromises.push(getAgent({ id: agent_id }));
+      if (_action_id) {
+        initialPromises.push(getActions({ action_id }, true));
+      }
+
+      /** @type {[Agent, [Action|undefined]]} */
+      const [agent, actions_result] = await Promise.all(initialPromises);
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for adding action' });
+      }
+
+      if (actions_result && actions_result.length) {
+        const action = actions_result[0];
+        metadata = { ...action.metadata, ...metadata };
+      }
+
+      const { actions: _actions = [], author: agent_author } = agent ?? {};
+      const actions = [];
+      for (const action of _actions) {
+        const [_action_domain, current_action_id] = action.split(actionDelimiter);
+        if (current_action_id === action_id) {
+          continue;
+        }
+
+        actions.push(action);
+      }
+
+      actions.push(`${domain}${actionDelimiter}${action_id}`);
+
+      /** @type {string[]}} */
+      const { tools: _tools = [] } = agent;
+
+      const tools = _tools
+        .filter((tool) => !(tool && (tool.includes(domain) || tool.includes(action_id))))
+        .concat(functions.map((tool) => `${tool.function.name}${actionDelimiter}${domain}`));
+
+      // Force version update since actions are changing
+      const updatedAgent = await updateAgent(
+        { id: agent_id },
+        { tools, actions },
+        {
+          updatingUserId: req.user.id,
+          forceVersion: true,
+        },
+      );
+
+      // Only update user field for new actions
+      const actionUpdateData = { metadata, agent_id };
+      if (!actions_result || !actions_result.length) {
+        // For new actions, use the agent owner's user ID
+        actionUpdateData.user = agent_author || req.user.id;
+      }
+
+      /** @type {[Action]} */
+      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+
+      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
+      for (let field of sensitiveFields) {
+        if (updatedAction.metadata[field]) {
+          delete updatedAction.metadata[field];
+        }
+      }
+
+      res.json([updatedAgent, updatedAction]);
+    } catch (error) {
+      const message = 'Trouble updating the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
+    }
+  },
+);

 /**
 * Deletes an action for a specific agent.
@ -149,52 +147,55 @@ router.post('/:agent_id', async (req, res) => {
 * @param {string} req.params.action_id - The ID of the action to delete.
 * @returns {Object} 200 - success response - application/json
 */
-router.delete('/:agent_id/:action_id', async (req, res) => {
-  try {
-    const { agent_id, action_id } = req.params;
-    const admin = isAdmin(req);
+router.delete(
+  '/:agent_id/:action_id',
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  async (req, res) => {
+    try {
+      const { agent_id, action_id } = req.params;

-    // If admin, can delete any agent, otherwise only user's agents
-    const agentQuery = admin ? { id: agent_id } : { id: agent_id, author: req.user.id };
-    const agent = await getAgent(agentQuery);
-    if (!agent) {
-      return res.status(404).json({ message: 'Agent not found for deleting action' });
-    }
-
-    const { tools = [], actions = [] } = agent;
-
-    let domain = '';
-    const updatedActions = actions.filter((action) => {
-      if (action.includes(action_id)) {
-        [domain] = action.split(actionDelimiter);
-        return false;
+      // Permissions already validated by middleware - load agent directly
+      const agent = await getAgent({ id: agent_id });
+      if (!agent) {
+        return res.status(404).json({ message: 'Agent not found for deleting action' });
      }
-      return true;
-    });

-    domain = await domainParser(domain, true);
+      const { tools = [], actions = [] } = agent;

-    if (!domain) {
-      return res.status(400).json({ message: 'No domain provided' });
+      let domain = '';
+      const updatedActions = actions.filter((action) => {
+        if (action.includes(action_id)) {
+          [domain] = action.split(actionDelimiter);
+          return false;
+        }
+        return true;
+      });
+
+      domain = await domainParser(domain, true);
+
+      if (!domain) {
+        return res.status(400).json({ message: 'No domain provided' });
+      }
+
+      const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
+
+      // Force version update since actions are being removed
+      await updateAgent(
+        { id: agent_id },
+        { tools: updatedTools, actions: updatedActions },
+        { updatingUserId: req.user.id, forceVersion: true },
+      );
+      await deleteAction({ action_id });
+      res.status(200).json({ message: 'Action deleted successfully' });
+    } catch (error) {
+      const message = 'Trouble deleting the Agent Action';
+      logger.error(message, error);
+      res.status(500).json({ message });
    }
-
-    const updatedTools = tools.filter((tool) => !(tool && tool.includes(domain)));
-
-    // Force version update since actions are being removed
-    await updateAgent(
-      agentQuery,
-      { tools: updatedTools, actions: updatedActions },
-      { updatingUserId: req.user.id, forceVersion: true },
-    );
-    // If admin, can delete any action, otherwise only user's actions
-    const actionQuery = admin ? { action_id } : { action_id, user: req.user.id };
-    await deleteAction(actionQuery);
-    res.status(200).json({ message: 'Action deleted successfully' });
-  } catch (error) {
-    const message = 'Trouble deleting the Agent Action';
-    logger.error(message, error);
-    res.status(500).json({ message });
-  }
-});
+  },
+);

 module.exports = router;
--- a/api/server/routes/agents/chat.js
+++ b/api/server/routes/agents/chat.js
@ -1,4 +1,5 @@
 const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const {
  setHeaders,
@ -7,6 +8,7 @@ const {
  generateCheckAccess,
  validateConvoAccess,
  buildEndpointOption,
+  canAccessAgentFromBody,
 } = require('~/server/middleware');
 const { initializeClient } = require('~/server/services/Endpoints/agents');
 const AgentController = require('~/server/controllers/agents/request');
@ -17,8 +19,12 @@ const router = express.Router();
 router.use(moderateText);

 const checkAgentAccess = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
+const checkAgentResourceAccess = canAccessAgentFromBody({
+  requiredPermission: PermissionBits.VIEW,
+});

 router.use(checkAgentAccess);
+router.use(checkAgentResourceAccess);
 router.use(validateConvoAccess);
 router.use(buildEndpointOption);
 router.use(setHeaders);
--- a/api/server/routes/agents/v1.js
+++ b/api/server/routes/agents/v1.js
@ -1,6 +1,11 @@
 const express = require('express');
+const { PermissionBits } = require('@librechat/data-schemas');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
-const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
+const {
+  requireJwtAuth,
+  generateCheckAccess,
+  canAccessAgentResource,
+} = require('~/server/middleware');
 const v1 = require('~/server/controllers/agents/v1');
 const actions = require('./actions');
 const tools = require('./tools');
@ -46,13 +51,38 @@ router.use('/tools', tools);
 router.post('/', checkAgentCreate, v1.createAgent);

 /**
- * Retrieves an agent.
+ * Retrieves basic agent information (VIEW permission required).
+ * Returns safe, non-sensitive agent data for viewing purposes.
 * @route GET /agents/:id
 * @param {string} req.params.id - Agent identifier.
- * @returns {Agent} 200 - Success response - application/json
+ * @returns {Agent} 200 - Basic agent info - application/json
 */
-router.get('/:id', checkAgentAccess, v1.getAgent);
+router.get(
+  '/:id',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.getAgent,
+);

+/**
+ * Retrieves full agent details including sensitive configuration (EDIT permission required).
+ * Returns complete agent data for editing/configuration purposes.
+ * @route GET /agents/:id/expanded
+ * @param {string} req.params.id - Agent identifier.
+ * @returns {Agent} 200 - Full agent details - application/json
+ */
+router.get(
+  '/:id/expanded',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  (req, res) => v1.getAgent(req, res, true), // Expanded version
+);
 /**
 * Updates an agent.
 * @route PATCH /agents/:id
@ -60,7 +90,15 @@ router.get('/:id', checkAgentAccess, v1.getAgent);
 * @param {AgentUpdateParams} req.body - The agent update parameters.
 * @returns {Agent} 200 - Success response - application/json
 */
-router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
+router.patch(
+  '/:id',
+  checkGlobalAgentShare,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'id',
+  }),
+  v1.updateAgent,
+);

 /**
 * Duplicates an agent.
@ -68,7 +106,15 @@ router.patch('/:id', checkGlobalAgentShare, v1.updateAgent);
 * @param {string} req.params.id - Agent identifier.
 * @returns {Agent} 201 - Success response - application/json
 */
-router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
+router.post(
+  '/:id/duplicate',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.VIEW,
+    resourceIdParam: 'id',
+  }),
+  v1.duplicateAgent,
+);

 /**
 * Deletes an agent.
@ -76,7 +122,15 @@ router.post('/:id/duplicate', checkAgentCreate, v1.duplicateAgent);
 * @param {string} req.params.id - Agent identifier.
 * @returns {Agent} 200 - success response - application/json
 */
-router.delete('/:id', checkAgentCreate, v1.deleteAgent);
+router.delete(
+  '/:id',
+  checkAgentCreate,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.DELETE,
+    resourceIdParam: 'id',
+  }),
+  v1.deleteAgent,
+);

 /**
 * Reverts an agent to a previous version.
@ -103,6 +157,14 @@ router.get('/', checkAgentAccess, v1.getListAgents);
 * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);
+avatar.post(
+  '/:agent_id/avatar/',
+  checkAgentAccess,
+  canAccessAgentResource({
+    requiredPermission: PermissionBits.EDIT,
+    resourceIdParam: 'agent_id',
+  }),
+  v1.uploadAgentAvatar,
+);

 module.exports = { v1: router, avatar };
--- a/api/server/routes/index.js
+++ b/api/server/routes/index.js
@ -1,3 +1,4 @@
+const accessPermissions = require('./accessPermissions');
 const assistants = require('./assistants');
 const categories = require('./categories');
 const tokenizer = require('./tokenizer');
@ -28,6 +29,7 @@ const user = require('./user');
 const mcp = require('./mcp');

 module.exports = {
+  mcp,
  edit,
  auth,
  keys,
@ -55,5 +57,5 @@ module.exports = {
  assistants,
  categories,
  staticRoute,
-  mcp,
+  accessPermissions,
 };
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@ -9,6 +9,7 @@ const {
  setBalanceConfig,
  checkDomainAllowed,
 } = require('~/server/middleware');
+const { syncUserEntraGroupMemberships } = require('~/server/services/PermissionService');
 const { setAuthTokens, setOpenIDAuthTokens } = require('~/server/services/AuthService');
 const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');
@ -35,6 +36,7 @@ const oauthHandler = async (req, res) => {
      req.user.provider == 'openid' &&
      isEnabled(process.env.OPENID_REUSE_TOKENS) === true
    ) {
+      await syncUserEntraGroupMemberships(req.user, req.user.tokenset.access_token);
      setOpenIDAuthTokens(req.user.tokenset, res);
    } else {
      await setAuthTokens(req.user._id, res);