From a4a90a16a9726569a22e42560184319b25fd7ca6 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Wed, 2 Oct 2024 10:41:10 +0200
Subject: [PATCH] fix: only return user groups if it is explicitly requested

---
 README.md                                        |  1 +
 backend/internal/service/oidc_service.go         | 16 +++++++++-------
 frontend/src/routes/authorize/+page.svelte       |  9 ++++++++-
 .../admin/user-groups/user-group-form.svelte     |  2 +-
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index d824ac1..5e7e49c 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,7 @@ You may need the following information:
 - **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
 - **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
 - **PKCE**: `false` as this is not supported yet.
+- **Scopes**: At least `openid email`. Optionally you can add `profile` and `groups`.
 
 ### Proxy Services with Pocket ID
 
diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
index a72e0e7..e004bb7 100644
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -308,20 +308,22 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	user := authorizedOidcClient.User
 	scope := authorizedOidcClient.Scope
 
-	userGroups := make([]string, len(user.UserGroups))
-	for i, group := range user.UserGroups {
-		userGroups[i] = group.Name
-	}
-
 	claims := map[string]interface{}{
-		"sub":    user.ID,
-		"groups": userGroups,
+		"sub": user.ID,
 	}
 
 	if strings.Contains(scope, "email") {
 		claims["email"] = user.Email
 	}
 
+	if strings.Contains(scope, "groups") {
+		userGroups := make([]string, len(user.UserGroups))
+		for i, group := range user.UserGroups {
+			userGroups[i] = group.Name
+		}
+		claims["groups"] = userGroups
+	}
+
 	profileClaims := map[string]interface{}{
 		"given_name":         user.FirstName,
 		"family_name":        user.LastName,
diff --git a/frontend/src/routes/authorize/+page.svelte b/frontend/src/routes/authorize/+page.svelte
index 5fde0df..4e5667f 100644
--- a/frontend/src/routes/authorize/+page.svelte
+++ b/frontend/src/routes/authorize/+page.svelte
@@ -9,7 +9,7 @@
 	import { getWebauthnErrorMessage } from '$lib/utils/error-util';
 	import { startAuthentication } from '@simplewebauthn/browser';
 	import { AxiosError } from 'axios';
-	import { LucideMail, LucideUser } from 'lucide-svelte';
+	import { LucideMail, LucideUser, LucideUsers } from 'lucide-svelte';
 	import { slide } from 'svelte/transition';
 	import type { PageData } from './$types';
 	import ClientProviderImages from './components/client-provider-images.svelte';
@@ -113,6 +113,13 @@
 									description="View your profile information"
 								/>
 							{/if}
+							{#if scope!.includes('groups')}
+								<ScopeItem
+									icon={LucideUsers}
+									name="Groups"
+									description="View the groups you are a member of"
+								/>
+							{/if}
 						</div>
 					</Card.Content>
 				</Card.Root>
diff --git a/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte b/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte
index aa3d7af..763ce35 100644
--- a/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte
+++ b/frontend/src/routes/settings/admin/user-groups/user-group-form.svelte
@@ -70,7 +70,7 @@
 		<div class="w-full">
 			<FormInput
 				label="Name"
-				description={`Name that will be in the "userGroup" claim`}
+				description={`Name that will be in the "groups" claim`}
 				bind:input={$inputs.name}
 				onInput={onNameInput}
 			/>