diff --git a/management/server/user.go b/management/server/user.go index b4b9ebe01b4..b1840c2fcb6 100644 --- a/management/server/user.go +++ b/management/server/user.go @@ -234,6 +234,21 @@ func (am *DefaultAccountManager) GetUserFromUserAuth(ctx context.Context, userAu return nil, err } + // Refresh name/email from ID-token claims on each login (parity with JWT group sync) + origName, origEmail := user.Name, user.Email + if (userAuth.Name != "" && user.Name != userAuth.Name) || (userAuth.Email != "" && user.Email != userAuth.Email) { + if userAuth.Name != "" { + user.Name = userAuth.Name + } + if userAuth.Email != "" { + user.Email = userAuth.Email + } + if err := am.Store.SaveUser(ctx, user); err != nil { + user.Name, user.Email = origName, origEmail + log.WithContext(ctx).Debugf("failed to update user name/email: %v", err) + } + } + // this code should be outside of the am.GetAccountIDFromToken(claims) because this method is called also by the gRPC // server when user authenticates a device. And we need to separate the Dashboard login event from the Device login event. newLogin := user.LastDashboardLoginChanged(userAuth.LastLogin)