Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-09-19 15:56:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

OIDC: Fixed incorrect detection of group detail population

Browse Source 
An empty (but valid formed) groups list provided via the OIDC ID token
would be considered as a lacking detail, and therefore trigger a lookup
to the userinfo endpoint in an attempt to get that information.

This fixes this to properly distinguish between not-provided and empty
state, to avoid userinfo where provided as valid but empty.

Includes test to cover.
For #5101
This commit is contained in:
Dan Brown 2024-07-14 14:21:16 +01:00
parent 7161f22706
commit 767699a066
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Access/Oidc/OidcUserDetails.php
View File

@ -22,7 +22,7 @@ class OidcUserDetails
$hasEmpty = empty($this->externalId)
|| empty($this->email)
|| empty($this->name)
|| ($groupSyncActive && empty($this->groups));
|| ($groupSyncActive && $this->groups === null);
return !$hasEmpty;
}
@ -57,15 +57,15 @@ class OidcUserDetails
return implode(' ', $displayName);
}
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array
{
if (empty($groupsClaim)) {
return [];
return null;
}
$groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
if (!is_array($groupsList)) {
return [];
return null;
}
return array_values(array_filter($groupsList, function ($val) {

20
tests/Auth/OidcTest.php
View File

@ -849,6 +849,26 @@ class OidcTest extends TestCase
$this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
}
public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
{
config()->set([
'oidc.user_to_groups' => true,
'oidc.groups_claim' => 'groups',
'oidc.remove_from_groups' => false,
]);
$this->post('/oidc/login');
$state = session()->get('oidc_state');
$client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
'groups' => [],
])]);
$resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
$resp->assertRedirect('/');
$this->assertEquals(1, $client->requestCount());
$this->assertTrue(auth()->check());
}
protected function withAutodiscovery(): void
{
config()->set([