Unable to Login After Profile Deletion (OIDC - PreProd Only)

0
Hi Community,We are facing a login issue in our Pre-Production environment.Scenario:User logs in successfully using OIDC.We then remove/delete the user profile from the application.When the same user tries to log in again, the login does not complete.What Happens:After login, the app hits /oauth/v2/callbackIt throws a 500 (Server Error)User is redirected back to the login screenAlso, we are seeing this message in logs:"OIDC: no-roles handled ..simple plain login"Important Points:This issue is happening only in PreProdSame flow works perfectly fine in Local/other environmentsLooks like user is not getting created properly or roles are missing after deletionHas anyone faced a similar issue where:Deleted user is unable to login again via OIDC?Or "no-roles handled / plain login" causes login failure?Any suggestions on what might be missing in configuration or user provisioning would really help.Thanks!
asked
2 answers
0

This behavior is expected in OIDC setups and is usually related to user provisioning and role assignment. What is happening is that the user is successfully authenticated by the IdP, but after you delete the user in Mendix, the next login either does not recreate the user properly or recreates it without any roles. The log “OIDC: no-roles handled … simple plain login” confirms this. Since the user has no roles, Mendix cannot create a valid session, which results in a 500 error and a redirect back to the login page.


Make sure your provisioning logic (for example CustomUserProvisioning) always creates the user if it does not exist and assigns at least one valid User Role. Since the issue only happens in PreProd, also check differences in role/claim mapping, environment constants, and whether the provisioning flow depends on data that may be missing there.


A simple and reliable fix is to add a fallback in your provisioning microflow: after role mapping, check if $Account/System.UserRoles is empty, and if so, retrieve a default role (for example “User”) and assign it to the account. This guarantees that the user can still log in even if role mapping fails.


As a quick test, delete the user, log in again, and check if the recreated user has any roles. If not, that is the root cause.


If this resolves your issue, please mark it as accepted.


answered
-1

Hi,


This is a classic OIDC provisioning issue, and your log already tells the exact problem:

OIDC: no-roles handled… simple plain login

What is really happening

Your flow:

  1. User logs in via OIDC → works
  2. You delete the user from Mendix
  3. User logs in again
  4. OIDC callback hits /oauth/v2/callback
  5. Mendix tries to recreate the user
  6. User gets created without any UserRole
  7. Mendix blocks login → 500 error

So the failure is not authentication, it is missing role assignment during provisioning.

Why it works in Local but fails in PreProd

In Local:

  • You probably have:
    • Default role configured
    • Or test role mapping already working

In PreProd:

  • Either:
    • Role mapping is missing
    • Claim values are different
    • Provisioning microflow not assigning roles


You must ensure that every OIDC login assigns at least one UserRole.

Option 1 — Fix Role Mapping

Go to:

OIDC Module → IdP Configuration

Check:

  • Claim used (example: roles / groups)
  • Mapping:

Example:

IdP Claim Value

Mendix Role

user

User

admin

Admin

Important:

  • Claim name must match exactly
  • Value must match exactly (case-sensitive)

Option 2 — Add Fallback Role

If mapping fails, always assign a default role.

Do this:

  1. Open OIDC module
  2. Find User Provisioning microflow
  3. (usually something like SUB_OIDC_UserProvisioning or custom override)
  4. Add logic:
If $User/System.UserRoles = empty
→ Change Object (User)
→ Assign UserRole = 'User'

This guarantees login will never fail.

Option 3 — Enable Default User Role

In OIDC configuration:

  • Set Default User Role

If available, set:

User

Important Check

After login in PreProd:

  • Check DB → System.User
  • Verify:
UserRoles != empty

If empty → issue confirmed

Why this issue happens only after deletion

When you delete user:

  • All roles are removed
  • Next login = fresh user creation

If provisioning fails → user has zero roles → login blocked


The issue is caused by missing role assignment during OIDC user provisioning. After deleting the user, the next login recreates the user but does not assign any UserRoles. Mendix does not allow users without roles, which results in the “OIDC: no-roles handled… simple plain login” error and a 500 response.

To resolve this, ensure that role mapping from the identity provider is correctly configured, or implement a fallback mechanism in the provisioning microflow to always assign at least one UserRole. This guarantees successful login even if role mapping fails.


answered