fix: disable /loaduser

[carlosthe19916]

Fixes: https://redhat.atlassian.net/browse/TC-3623

loadUserInfo=true forces the endpoint /loaduser to be fetched and due to internals of the library the whole oidc flow fails in case /loaduser fails.

In Keycloak it is not needed to call /loaduser because the username is part of the /token response already so there is no harm on disabling it for be benefit of making it work in Azure

Summary by Sourcery

Bug Fixes:

• Prevent OIDC login failures when the /loaduser endpoint is unavailable by disabling automatic user info loading.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Disables the OIDC client’s /loaduser call by setting loadUserInfo to false in the client configuration, relying on user information from the token response instead to prevent flow failures when /loaduser is unavailable (e.g., in Azure).

Sequence diagram for OIDC login flow with loadUserInfo disabled

sequenceDiagram
    actor User
    participant WebApp
    participant OIDCProvider

    User->>WebApp: Initiate login
    WebApp->>OIDCProvider: Authorization request (response_type=code)
    OIDCProvider-->>WebApp: Authorization code
    WebApp->>OIDCProvider: Token request (code)
    OIDCProvider-->>WebApp: Token response (includes user info)

    alt loadUserInfo_true (previous behavior)
        WebApp->>OIDCProvider: GET /loaduser
        alt loaduser_success
            OIDCProvider-->>WebApp: User profile
            WebApp-->>User: Authenticated session established
        else loaduser_failure
            OIDCProvider-->>WebApp: Error
            WebApp-->>User: OIDC flow fails
        end
    else loadUserInfo_false (current behavior)
        Note right of WebApp: /loaduser is not called
        WebApp-->>User: Authenticated session established using token user info
    end

Loading

File-Level Changes

Change	Details	Files
Disable the OIDC client’s user info loading to avoid reliance on the /loaduser endpoint.	Updated OIDC client settings to set loadUserInfo to false instead of true, preventing the automatic /loaduser request and relying on data already present in the token response	client/src/app/oidc.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider adding a brief code comment next to loadUserInfo: false explaining the Azure/Keycloak rationale so future maintainers understand why this deviates from the library’s default behavior.
• If other OIDC providers may still require /loaduser, you might want to make loadUserInfo configurable (e.g., via ENV) rather than hard-coding it to false to avoid regressions for non-Keycloak setups.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding a brief code comment next to `loadUserInfo: false` explaining the Azure/Keycloak rationale so future maintainers understand why this deviates from the library’s default behavior.
- If other OIDC providers may still require `/loaduser`, you might want to make `loadUserInfo` configurable (e.g., via ENV) rather than hard-coding it to `false` to avoid regressions for non-Keycloak setups.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.50%. Comparing base (3428706) to head (e2164bd).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #975      +/-   ##
==========================================
- Coverage   66.52%   66.50%   -0.02%     
==========================================
  Files         218      218              
  Lines        3827     3828       +1     
  Branches      873      873              
==========================================
  Hits         2546     2546              
- Misses        947      950       +3     
+ Partials      334      332       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[PhilipCattanach]

Hi Carlos, I discussed the work required to have RHPTA working with Azure Entra ID this morning and we need an additional Helm Chart property OIDC_USER_INFO that is a boolean and it defaults to true.

Can you please update this PR so that the loadUserInfo setting is set from the Helm Chart property?
Thanks,

Phil

[carlosthe19916]

@PhilipCattanach ok, I made changes so there is a new Env OIDC_LOAD_USER="true"|"false" that can be injected.

Due to the current architecture where the UI is served by the Actix Rust server, once this PR is merged a change will need to be done in the backend to inject this new env. So the flow will be:

• This PR is reviewed and merged here in this ui repository. @stanislavsemeniuk please help me reviewing this change
• The backend https://github.com/guacsec/trustify needs to configure the code so the new env var is injected
• The Helm Chart needs to inject this new Env var too
  • I guess it will be enough for the Ansible and Operator to inject the new Env var too.

[trustify-ci-bot]

Successfully created backport PR for release/0.4.z:

• fix: disable /loaduser [Backport release/0.4.z] #980