Support nested claim mapping for groups attribute #1149
Conversation
|
To fix the tests, you need to extend what the mocked I'll check if I can push in your branch and maybe do it. |
Signed-off-by: Andre Blanke <[email protected]>
Signed-off-by: Julien Veyssier <[email protected]>
|
Fixed the tests, rebased on main, all good. |
|
Thank you, too, for the merge and the test fix. |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
2 participants
The provider option "Enable nested and fallback claim mappings" recently introduced in #1103 currently doesn't work for the groups attribute mapping since
getSyncGroupsOfTokenuses$groupsAttributefor directly accessing properties inside$idTokenPayload(instead of usinggetClaimValueto allow for dot-notation resolution).This is unfortunate because some identity providers, such as Keycloak, nest user roles inside the ID token (e.g., under
realm_access.rolesfor Keycloak realm-level andresource_access.${client_id}.rolesfor Keycloak client-level roles).My PR fixes the issue by adding the method
getClaimValuesand using it inside ofgetSyncGroupsOfToken.getClaimValuesincludes most of the logic ofgetClaimValue, but allows returning non-string values. The original behavior ofgetClaimValueis retained.Closes #799.