fix: only return user groups if it is explicitly requested

stonith404 · Oct 2, 2024 · a4a90a1 · a4a90a1
1 parent 365734e
commit a4a90a1
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -95,6 +95,7 @@ You may need the following information:
 - **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
 - **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
 - **PKCE**: `false` as this is not supported yet.
+- **Scopes**: At least `openid email`. Optionally you can add `profile` and `groups`.
 
 ### Proxy Services with Pocket ID
 

diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
@@ -308,20 +308,22 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	user := authorizedOidcClient.User
 	scope := authorizedOidcClient.Scope
 
-	userGroups := make([]string, len(user.UserGroups))
-	for i, group := range user.UserGroups {
-		userGroups[i] = group.Name
-	}
-
 	claims := map[string]interface{}{
-		"sub":    user.ID,
-		"groups": userGroups,
+		"sub": user.ID,
 	}
 
 	if strings.Contains(scope, "email") {
 		claims["email"] = user.Email
 	}
 
+	if strings.Contains(scope, "groups") {
+		userGroups := make([]string, len(user.UserGroups))
+		for i, group := range user.UserGroups {
+			userGroups[i] = group.Name
+		}
+		claims["groups"] = userGroups
+	}
+
 	profileClaims := map[string]interface{}{
 		"given_name":         user.FirstName,
 		"family_name":        user.LastName,

diff --git a/frontend/src/routes/authorize/+page.svelte b/frontend/src/routes/authorize/+page.svelte
@@ -9,7 +9,7 @@
 	import { getWebauthnErrorMessage } from '$lib/utils/error-util';
 	import { startAuthentication } from '@simplewebauthn/browser';
 	import { AxiosError } from 'axios';
-	import { LucideMail, LucideUser } from 'lucide-svelte';
+	import { LucideMail, LucideUser, LucideUsers } from 'lucide-svelte';
 	import { slide } from 'svelte/transition';
 	import type { PageData } from './$types';
 	import ClientProviderImages from './components/client-provider-images.svelte';
@@ -113,6 +113,13 @@
 									description="View your profile information"
 								/>
 							{/if}
+							{#if scope!.includes('groups')}
+								<ScopeItem
+									icon={LucideUsers}
+									name="Groups"
+									description="View the groups you are a member of"
+								/>
+							{/if}
 						</div>
 					</Card.Content>
 				</Card.Root>

diff --git a/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte b/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte
@@ -70,7 +70,7 @@
 		<div class="w-full">
 			<FormInput
 				label="Name"
-				description={`Name that will be in the "userGroup" claim`}
+				description={`Name that will be in the "groups" claim`}
 				bind:input={$inputs.name}
 				onInput={onNameInput}
 			/>