diff --git a/app/Access/Oidc/OidcUserDetails.php b/app/Access/Oidc/OidcUserDetails.php index bccc49ee4..fae20de0b 100644 --- a/app/Access/Oidc/OidcUserDetails.php +++ b/app/Access/Oidc/OidcUserDetails.php @@ -22,7 +22,7 @@ class OidcUserDetails $hasEmpty = empty($this->externalId) || empty($this->email) || empty($this->name) - || ($groupSyncActive && empty($this->groups)); + || ($groupSyncActive && $this->groups === null); return !$hasEmpty; } @@ -57,15 +57,15 @@ class OidcUserDetails return implode(' ', $displayName); } - protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array + protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array { if (empty($groupsClaim)) { - return []; + return null; } $groupsList = Arr::get($token->getAllClaims(), $groupsClaim); if (!is_array($groupsList)) { - return []; + return null; } return array_values(array_filter($groupsList, function ($val) { diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php index 9bde71c80..201f67b53 100644 --- a/tests/Auth/OidcTest.php +++ b/tests/Auth/OidcTest.php @@ -849,6 +849,26 @@ class OidcTest extends TestCase $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data'); } + public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token() + { + config()->set([ + 'oidc.user_to_groups' => true, + 'oidc.groups_claim' => 'groups', + 'oidc.remove_from_groups' => false, + ]); + + $this->post('/oidc/login'); + $state = session()->get('oidc_state'); + $client = $this->mockHttpClient([$this->getMockAuthorizationResponse([ + 'groups' => [], + ])]); + + $resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state); + $resp->assertRedirect('/'); + $this->assertEquals(1, $client->requestCount()); + $this->assertTrue(auth()->check()); + } + protected function withAutodiscovery(): void { config()->set([