mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 01:36:00 -04:00
OIDC: Fixed incorrect detection of group detail population
An empty (but valid formed) groups list provided via the OIDC ID token would be considered as a lacking detail, and therefore trigger a lookup to the userinfo endpoint in an attempt to get that information. This fixes this to properly distinguish between not-provided and empty state, to avoid userinfo where provided as valid but empty. Includes test to cover. For #5101
This commit is contained in:
parent
7161f22706
commit
767699a066
@ -22,7 +22,7 @@ class OidcUserDetails
|
||||
$hasEmpty = empty($this->externalId)
|
||||
|| empty($this->email)
|
||||
|| empty($this->name)
|
||||
|| ($groupSyncActive && empty($this->groups));
|
||||
|| ($groupSyncActive && $this->groups === null);
|
||||
|
||||
return !$hasEmpty;
|
||||
}
|
||||
@ -57,15 +57,15 @@ class OidcUserDetails
|
||||
return implode(' ', $displayName);
|
||||
}
|
||||
|
||||
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array
|
||||
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array
|
||||
{
|
||||
if (empty($groupsClaim)) {
|
||||
return [];
|
||||
return null;
|
||||
}
|
||||
|
||||
$groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
|
||||
if (!is_array($groupsList)) {
|
||||
return [];
|
||||
return null;
|
||||
}
|
||||
|
||||
return array_values(array_filter($groupsList, function ($val) {
|
||||
|
@ -849,6 +849,26 @@ class OidcTest extends TestCase
|
||||
$this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
|
||||
}
|
||||
|
||||
public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
|
||||
{
|
||||
config()->set([
|
||||
'oidc.user_to_groups' => true,
|
||||
'oidc.groups_claim' => 'groups',
|
||||
'oidc.remove_from_groups' => false,
|
||||
]);
|
||||
|
||||
$this->post('/oidc/login');
|
||||
$state = session()->get('oidc_state');
|
||||
$client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
|
||||
'groups' => [],
|
||||
])]);
|
||||
|
||||
$resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
|
||||
$resp->assertRedirect('/');
|
||||
$this->assertEquals(1, $client->requestCount());
|
||||
$this->assertTrue(auth()->check());
|
||||
}
|
||||
|
||||
protected function withAutodiscovery(): void
|
||||
{
|
||||
config()->set([
|
||||
|
Loading…
Reference in New Issue
Block a user