mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 01:36:00 -04:00
OIDC: Fixed incorrect detection of group detail population
An empty (but valid formed) groups list provided via the OIDC ID token would be considered as a lacking detail, and therefore trigger a lookup to the userinfo endpoint in an attempt to get that information. This fixes this to properly distinguish between not-provided and empty state, to avoid userinfo where provided as valid but empty. Includes test to cover. For #5101
This commit is contained in:
parent
7161f22706
commit
767699a066
@ -22,7 +22,7 @@ class OidcUserDetails
|
|||||||
$hasEmpty = empty($this->externalId)
|
$hasEmpty = empty($this->externalId)
|
||||||
|| empty($this->email)
|
|| empty($this->email)
|
||||||
|| empty($this->name)
|
|| empty($this->name)
|
||||||
|| ($groupSyncActive && empty($this->groups));
|
|| ($groupSyncActive && $this->groups === null);
|
||||||
|
|
||||||
return !$hasEmpty;
|
return !$hasEmpty;
|
||||||
}
|
}
|
||||||
@ -57,15 +57,15 @@ class OidcUserDetails
|
|||||||
return implode(' ', $displayName);
|
return implode(' ', $displayName);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array
|
protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array
|
||||||
{
|
{
|
||||||
if (empty($groupsClaim)) {
|
if (empty($groupsClaim)) {
|
||||||
return [];
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
$groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
|
$groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
|
||||||
if (!is_array($groupsList)) {
|
if (!is_array($groupsList)) {
|
||||||
return [];
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
return array_values(array_filter($groupsList, function ($val) {
|
return array_values(array_filter($groupsList, function ($val) {
|
||||||
|
@ -849,6 +849,26 @@ class OidcTest extends TestCase
|
|||||||
$this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
|
$this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
|
||||||
|
{
|
||||||
|
config()->set([
|
||||||
|
'oidc.user_to_groups' => true,
|
||||||
|
'oidc.groups_claim' => 'groups',
|
||||||
|
'oidc.remove_from_groups' => false,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->post('/oidc/login');
|
||||||
|
$state = session()->get('oidc_state');
|
||||||
|
$client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
|
||||||
|
'groups' => [],
|
||||||
|
])]);
|
||||||
|
|
||||||
|
$resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
|
||||||
|
$resp->assertRedirect('/');
|
||||||
|
$this->assertEquals(1, $client->requestCount());
|
||||||
|
$this->assertTrue(auth()->check());
|
||||||
|
}
|
||||||
|
|
||||||
protected function withAutodiscovery(): void
|
protected function withAutodiscovery(): void
|
||||||
{
|
{
|
||||||
config()->set([
|
config()->set([
|
||||||
|
Loading…
Reference in New Issue
Block a user