Hello, at my University we run into a problem trying to use Oauth2 with a Keycloak backend for Moodle SSO authentication. While we have to Lock user fields in order to keep Students from editing their own data, we would like to keep the authorization libraries update function to keep the Database in sync with our identity provider.

            if ($lockvalue === 'unlocked' || ($lockvalue === 'unlockedifempty' && empty($oldvalue))) {

                $value = (string)$value;

                if ($oldvalue !== $value) {

                    $user->$fieldname = $value;

                }

            }

These lines of code from /auth/oauth/classes/auth.php make the behaviour we would like to see mutually exclusive. We can either have the Identity server update our user and give them the capability to edit their user themselves or we can lock the fields and no updates are possible at all. Could we decouple the manual user field updates from updates initiated by the authentication process?