Fixed an issue where OAuth2 authentication fails with 'object has no attribute' if OAUTH2_AUTO_CREATE_USER is False. #9279

[khushboovashi]

Summary by CodeRabbit

• Localization

  • Added internationalization for OAuth2 authentication messages, including login errors, claim validation responses, auto-user creation notices, and audit/log messages.

• Bug Fixes

  • Improved handling and user-facing messages for missing provider/profile/username data.
  • Adjusted auto-create user flow to surface a localized "No Email/Username found. Please contact your administrator." when creation is disallowed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4750d8ce-5f38-4557-9f77-110aa450094f

📥 Commits

Reviewing files that changed from the base of the PR and between 10e7a36 and c6abfe0.

📒 Files selected for processing (1)

• web/pgadmin/authenticate/oauth2.py

---

Walkthrough

Replaced hard-coded strings with gettext-wrapped messages across the OAuth2 authentication flow and claim validation. Modified __auto_create_user to check for an existing user before creating; if not found and auto-creation is disabled, return a localized failure message.

Changes

Cohort / File(s)	Summary
OAuth2 Localization & Auto-create web/pgadmin/authenticate/oauth2.py	Replaced literal error/reason/log messages with gettext-wrapped strings across login, OIDC/non-OIDC branches, claim validation, and logging. Updated __auto_create_user to first query for an existing user; if none and AUTO_CREATE_USER is disabled, return a localized failure message; if enabled, proceed with creation as before.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main fix: resolving an OAuth2 authentication failure when OAUTH2_AUTO_CREATE_USER is disabled, which aligns with the auto-create user logic reworking described in the summary.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/pgadmin/authenticate/oauth2.py`:
- Around line 699-700: The failure message returned by the "return False,
gettext(...)" line in oauth2.py is misleading for the branch where the user
isn't provisioned and auto-create is disabled; update that gettext string to
clearly state that the user exists in the identity provider but is not
provisioned in pgAdmin and automatic user creation is disabled (e.g., "User not
provisioned in pgAdmin and automatic user creation is disabled. Please contact
your administrator."), keeping it wrapped in gettext to preserve localization
and leaving the return tuple signature intact.
- Around line 710-712: The current check uses additional_claims.keys() is None
which is unreachable and causes empty dicts to be treated as failing; change the
logic to treat None or empty mappings as "no checks" and authorize: replace the
condition with a truthiness check (e.g., if not additional_claims:) and return
success (True, None) so an empty {} does not cause unauthorized; remove the
keys() is None check and ensure the rest of the additional_claims validation
only runs when additional_claims is non-empty.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b0245443-03fe-4cb3-9428-dda69e9bbcda

📥 Commits

Reviewing files that changed from the base of the PR and between 5b231dd and 10e7a36.

📒 Files selected for processing (1)

• web/pgadmin/authenticate/oauth2.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Failure message is inaccurate for this branch.

This branch means “user not provisioned and auto-create disabled,” not “no email/username found,” which can mislead admins during triage.

Suggested message tweak

-                return False, gettext('No Email/Username found.'
-                                      ' Please contact your administrator.')
+                return False, gettext(
+                    'User is not provisioned in pgAdmin and automatic '
+                    'user creation is disabled. Please contact your '
+                    'administrator.'
+                )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@web/pgadmin/authenticate/oauth2.py` around lines 699 - 700, The failure
message returned by the "return False, gettext(...)" line in oauth2.py is
misleading for the branch where the user isn't provisioned and auto-create is
disabled; update that gettext string to clearly state that the user exists in
the identity provider but is not provisioned in pgAdmin and automatic user
creation is disabled (e.g., "User not provisioned in pgAdmin and automatic user
creation is disabled. Please contact your administrator."), keeping it wrapped
in gettext to preserve localization and leaving the return tuple signature
intact.