OIDC: Fixed incorrect detection of group detail population

ssddanbrown · ssddanbrown · commit 767699a0664c · 2024-07-14T14:21:16.000+01:00
An empty (but valid formed) groups list provided via the OIDC ID token would be considered as a lacking detail, and therefore trigger a lookup to the userinfo endpoint in an attempt to get that information. This fixes this to properly distinguish between not-provided and empty state, to avoid userinfo where provided as valid but empty. Includes test to cover. For #5101
diff --git a/app/Access/Oidc/OidcUserDetails.php b/app/Access/Oidc/OidcUserDetails.php
@@ -22,7 +22,7 @@ public function isFullyPopulated(bool $groupSyncActive): bool
         $hasEmpty = empty($this->externalId)
             || empty($this->email)
             || empty($this->name)
-            || ($groupSyncActive && empty($this->groups));
+            || ($groupSyncActive && $this->groups === null);
 
         return !$hasEmpty;
     }
@@ -57,15 +57,15 @@ protected static function getUserDisplayName(string $displayNameClaims, Provides
         return implode(' ', $displayName);
     }
 
-    protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array
+    protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array
     {
         if (empty($groupsClaim)) {
-            return [];
+            return null;
         }
 
         $groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
         if (!is_array($groupsList)) {
-            return [];
+            return null;
         }
 
         return array_values(array_filter($groupsList, function ($val) {
diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
@@ -849,6 +849,26 @@ public function test_userinfo_endpoint_response_with_invalid_content_type_throws
         $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
     }
 
+    public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
+    {
+        config()->set([
+            'oidc.user_to_groups'     => true,
+            'oidc.groups_claim'       => 'groups',
+            'oidc.remove_from_groups' => false,
+        ]);
+
+        $this->post('/oidc/login');
+        $state = session()->get('oidc_state');
+        $client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
+            'groups' => [],
+        ])]);
+
+        $resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
+        $resp->assertRedirect('/');
+        $this->assertEquals(1, $client->requestCount());
+        $this->assertTrue(auth()->check());
+    }
+
     protected function withAutodiscovery(): void
     {
         config()->set([

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public function isFullyPopulated(bool $groupSyncActive): bool`
`22`	`22`	`$hasEmpty = empty($this->externalId)`
`23`	`23`	`\|\| empty($this->email)`
`24`	`24`	`\|\| empty($this->name)`
`25`		`- \|\| ($groupSyncActive && empty($this->groups));`
	`25`	`+ \|\| ($groupSyncActive && $this->groups === null);`
`26`	`26`
`27`	`27`	`return !$hasEmpty;`
`28`	`28`	`}`
`@@ -57,15 +57,15 @@ protected static function getUserDisplayName(string $displayNameClaims, Provides`
`57`	`57`	`return implode(' ', $displayName);`
`58`	`58`	`}`
`59`	`59`
`60`		`- protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array`
	`60`	`+ protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array`
`61`	`61`	`{`
`62`	`62`	`if (empty($groupsClaim)) {`
`63`		`- return [];`
	`63`	`+ return null;`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`$groupsList = Arr::get($token->getAllClaims(), $groupsClaim);`
`67`	`67`	`if (!is_array($groupsList)) {`
`68`		`- return [];`
	`68`	`+ return null;`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`return array_values(array_filter($groupsList, function ($val) {`