coder
diff --git a/‎coderd/coderd.go
Lines changed: 5 additions & 3 deletions b/‎coderd/coderd.go
Lines changed: 5 additions & 3 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 10 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 10 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 5 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 5 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 16 additions & 30 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 16 additions & 30 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 7 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 7 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 14 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 14 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 12 additions & 18 deletions b/‎coderd/database/queries.sql.go
Lines changed: 12 additions & 18 deletions
diff --git a/‎coderd/database/queries/groupmembers.sql
Lines changed: 2 additions & 3 deletions b/‎coderd/database/queries/groupmembers.sql
Lines changed: 2 additions & 3 deletions
diff --git a/‎coderd/userauth.go
Lines changed: 9 additions & 5 deletions b/‎coderd/userauth.go
Lines changed: 9 additions & 5 deletions
@@ -134,7 +134,7 @@ type Options struct {
 	BaseDERPMap                 *tailcfg.DERPMap
 	DERPMapUpdateFrequency      time.Duration
 	SwaggerEndpoint             bool
-	SetUserGroups               func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, groupNames []string, createMissingGroups bool) error
+	SetUserGroups               func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error
 	SetUserSiteRoles            func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, roles []string) error
 	TemplateScheduleStore       *atomic.Pointer[schedule.TemplateScheduleStore]
 	UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
@@ -301,9 +301,11 @@ func New(options *Options) *API {
 		options.TracerProvider = trace.NewNoopTracerProvider()
 	}
 	if options.SetUserGroups == nil {
-		options.SetUserGroups = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, groups []string, createMissingGroups bool) error {
+		options.SetUserGroups = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error {
 			logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",
-				slog.F("user_id", userID), slog.F("groups", groups), slog.F("create_missing_groups", createMissingGroups),
+				slog.F("user_id", userID),
+				slog.F("groups", orgGroupNames),
+				slog.F("create_missing_groups", createMissingGroups),
 			)
 			return nil
 		}
 
@@ -656,6 +656,14 @@ func authorizedTemplateVersionFromJob(ctx context.Context, q *querier, job datab
 	}
 }
 
+func (q *querier) RemoveUserFromAllGroups(ctx context.Context, userID uuid.UUID) error {
+	// This is a system function to clear user groups in group sync.
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.RemoveUserFromAllGroups(ctx, userID)
+}
+
 func (q *querier) AcquireLock(ctx context.Context, id int64) error {
 	return q.db.AcquireLock(ctx, id)
 }
@@ -793,16 +801,6 @@ func (q *querier) DeleteGroupMemberFromGroup(ctx context.Context, arg database.D
 	return update(q.log, q.auth, fetch, q.db.DeleteGroupMemberFromGroup)(ctx, arg)
 }
 
-func (q *querier) DeleteGroupMembersByOrgAndUser(ctx context.Context, arg database.DeleteGroupMembersByOrgAndUserParams) error {
-	// This will remove the user from all groups in the org. This counts as updating a group.
-	// NOTE: instead of fetching all groups in the org with arg.UserID as a member, we instead
-	// check if the caller has permission to update any group in the org.
-	fetch := func(ctx context.Context, arg database.DeleteGroupMembersByOrgAndUserParams) (rbac.Objecter, error) {
-		return rbac.ResourceGroup.InOrg(arg.OrganizationID), nil
-	}
-	return update(q.log, q.auth, fetch, q.db.DeleteGroupMembersByOrgAndUser)(ctx, arg)
-}
-
 func (q *querier) DeleteLicense(ctx context.Context, id int32) (int32, error) {
 	err := deleteQ(q.log, q.auth, q.db.GetLicenseByID, func(ctx context.Context, id int32) error {
 		_, err := q.db.DeleteLicense(ctx, id)
 
@@ -344,17 +344,14 @@ func (s *MethodTestSuite) TestGroup() {
 			GroupNames:     slice.New(g1.Name, g2.Name),
 		}).Asserts(rbac.ResourceGroup.InOrg(o.ID), rbac.ActionUpdate).Returns()
 	}))
-	s.Run("DeleteGroupMembersByOrgAndUser", s.Subtest(func(db database.Store, check *expects) {
+	s.Run("RemoveUserFromAllGroups", s.Subtest(func(db database.Store, check *expects) {
 		o := dbgen.Organization(s.T(), db, database.Organization{})
 		u1 := dbgen.User(s.T(), db, database.User{})
 		g1 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
 		g2 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
 		_ = dbgen.GroupMember(s.T(), db, database.GroupMember{GroupID: g1.ID, UserID: u1.ID})
 		_ = dbgen.GroupMember(s.T(), db, database.GroupMember{GroupID: g2.ID, UserID: u1.ID})
-		check.Args(database.DeleteGroupMembersByOrgAndUserParams{
-			OrganizationID: o.ID,
-			UserID:         u1.ID,
-		}).Asserts(rbac.ResourceGroup.InOrg(o.ID), rbac.ActionUpdate).Returns()
+		check.Args(u1.ID).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns()
 	}))
 	s.Run("UpdateGroupByID", s.Subtest(func(db database.Store, check *expects) {
 		g := dbgen.Group(s.T(), db, database.Group{})
 
@@ -733,6 +733,22 @@ func isNotNull(v interface{}) bool {
 	return reflect.ValueOf(v).FieldByName("Valid").Bool()
 }
 
+func (q *FakeQuerier) RemoveUserFromAllGroups(_ context.Context, userID uuid.UUID) error {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	newMembers := q.groupMembers[:0]
+	for _, member := range q.groupMembers {
+		if member.UserID == userID {
+			continue
+		}
+		newMembers = append(newMembers, member)
+	}
+	q.groupMembers = newMembers
+
+	return nil
+}
+
 func (*FakeQuerier) AcquireLock(_ context.Context, _ int64) error {
 	return xerrors.New("AcquireLock must only be called within a transaction")
 }
@@ -1135,36 +1151,6 @@ func (q *FakeQuerier) DeleteGroupMemberFromGroup(_ context.Context, arg database
 	return nil
 }
 
-func (q *FakeQuerier) DeleteGroupMembersByOrgAndUser(_ context.Context, arg database.DeleteGroupMembersByOrgAndUserParams) error {
-	q.mutex.Lock()
-	defer q.mutex.Unlock()
-
-	newMembers := q.groupMembers[:0]
-	for _, member := range q.groupMembers {
-		if member.UserID != arg.UserID {
-			// Do not delete the other members
-			newMembers = append(newMembers, member)
-		} else if member.UserID == arg.UserID {
-			// We only want to delete from groups in the organization in the args.
-			for _, group := range q.groups {
-				// Find the group that the member is apartof.
-				if group.ID == member.GroupID {
-					// Only add back the member if the organization ID does not match
-					// the arg organization ID. Since the arg is saying which
-					// org to delete.
-					if group.OrganizationID != arg.OrganizationID {
-						newMembers = append(newMembers, member)
-					}
-					break
-				}
-			}
-		}
-	}
-	q.groupMembers = newMembers
-
-	return nil
-}
-
 func (q *FakeQuerier) DeleteLicense(_ context.Context, id int32) (int32, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -42,12 +42,11 @@ SELECT
 FROM
     groups;
 
--- name: DeleteGroupMembersByOrgAndUser :exec
+-- name: RemoveUserFromAllGroups :exec
 DELETE FROM
 	group_members
 WHERE
-	group_members.user_id = @user_id
-	AND group_id = ANY(SELECT id FROM groups WHERE organization_id = @organization_id);
+	user_id = @user_id;
 
 -- name: InsertGroupMember :exec
 INSERT INTO
 
@@ -1217,7 +1217,7 @@ type oauthLoginParams struct {
 	// to the Groups provided.
 	UsingGroups         bool
 	CreateMissingGroups bool
-	Groups              []string
+	Groups              map[uuid.UUID][]string
 	GroupFilter         *regexp.Regexp
 	// Is UsingRoles is true, then the user will be assigned
 	// the roles provided.
@@ -1460,11 +1460,15 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 		if params.UsingGroups {
 			filtered := params.Groups
 			if params.GroupFilter != nil {
-				filtered = make([]string, 0, len(params.Groups))
-				for _, group := range params.Groups {
-					if params.GroupFilter.MatchString(group) {
-						filtered = append(filtered, group)
+				// For each org, filter the groups.
+				for orgID, groups := range filtered {
+					filteredList := make([]string, 0, len(groups))
+					for _, group := range groups {
+						if params.GroupFilter.MatchString(group) {
+							filteredList = append(filteredList, group)
+						}
 					}
+					filtered[orgID] = filteredList
 				}
 			}