From e7a4967726a59897f8c2c3c1f22543d001dba626 Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Tue, 20 Jul 2021 17:42:10 -0700
Subject: [PATCH] fix: openID cleanup all creds associated with OIDC user
 (#12758)

---
 cmd/iam.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index 54f1c91f8..97001075a 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1527,20 +1527,20 @@ func (sys *IAMSys) loadUserFromStore(accessKey string) {
 // by checking remote IDP if the relevant users are still active and present.
 func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
 	sys.store.lock()
-	parentUsersMap := make(map[string]auth.Credentials, len(sys.iamUsersMap))
+	parentUsersMap := make(map[string][]auth.Credentials, len(sys.iamUsersMap))
 	for _, cred := range sys.iamUsersMap {
 		if cred.IsServiceAccount() || cred.IsTemp() {
 			userid, err := parseOpenIDParentUser(cred.ParentUser)
 			if err == errSkipFile {
 				continue
 			}
-			parentUsersMap[userid] = cred
+			parentUsersMap[userid] = append(parentUsersMap[userid], cred)
 		}
 	}
 	sys.store.unlock()
 
 	expiredUsers := make([]auth.Credentials, 0, len(parentUsersMap))
-	for userid, cred := range parentUsersMap {
+	for userid, creds := range parentUsersMap {
 		u, err := globalOpenIDConfig.LookupUser(userid)
 		if err != nil {
 			logger.LogIf(GlobalContext, err)
@@ -1548,7 +1548,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
 		}
 		// Disabled parentUser purge the entries locally
 		if !u.Enabled {
-			expiredUsers = append(expiredUsers, cred)
+			expiredUsers = append(expiredUsers, creds...)
 		}
 	}