From 61bf7960acb5d71f630bd0a858898195c142249a Mon Sep 17 00:00:00 2001
From: Dave Lawrence <davmlaw@gmail.com>
Date: Thu, 25 Jun 2026 13:37:10 +0930
Subject: [PATCH] oidc_auth: guard group removal against out-of-band group
 deletion

When removing a group a user has left, look it up with .filter(...).first() so a group
deleted out-of-band between logins no longer raises during login.
---
 oidc_auth/backend.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/oidc_auth/backend.py b/oidc_auth/backend.py
index 94279b65a..914142d6b 100644
--- a/oidc_auth/backend.py
+++ b/oidc_auth/backend.py
@@ -166,8 +166,9 @@ def create_or_update(self, user: User, claims):
         added_groups = groups.difference(django_groups)
 
         for removed_group in removed_groups:
-            group = Group.objects.get(name=removed_group)
-            user.groups.remove(group)
+            # Group may have been deleted out-of-band between logins - skip if gone
+            if group := Group.objects.filter(name=removed_group).first():
+                user.groups.remove(group)
 
         for added_group in added_groups:
             # note that we trust the OIDC connector as it can already make admins