OIDC: Fixed incorrect detection of group detail population

An empty (but valid formed) groups list provided via the OIDC ID token
would be considered as a lacking detail, and therefore trigger a lookup
to the userinfo endpoint in an attempt to get that information.

This fixes this to properly distinguish between not-provided and empty
state, to avoid userinfo where provided as valid but empty.

Includes test to cover.
For #5101

diff --git a/app/Access/Oidc/OidcUserDetails.php b/app/Access/Oidc/OidcUserDetails.php
index bccc49ee4d86d0be73a795ca8eaea6394a916907..fae20de0b6224cb011807017aa6442c56179e4e8 100644 (file)
--- a/app/Access/Oidc/OidcUserDetails.php
+++ b/app/Access/Oidc/OidcUserDetails.php
@@ -22,7 +22,7 @@ class OidcUserDetails
         $hasEmpty = empty($this->externalId)
             || empty($this->email)
             || empty($this->name)
-            || ($groupSyncActive && empty($this->groups));
+            || ($groupSyncActive && $this->groups === null);
 
         return !$hasEmpty;
     }
@@ -57,15 +57,15 @@ class OidcUserDetails
         return implode(' ', $displayName);
     }
 
-    protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): array
+    protected static function getUserGroups(string $groupsClaim, ProvidesClaims $token): ?array
     {
         if (empty($groupsClaim)) {
-            return [];
+            return null;
         }
 
         $groupsList = Arr::get($token->getAllClaims(), $groupsClaim);
         if (!is_array($groupsList)) {
-            return [];
+            return null;
         }
 
         return array_values(array_filter($groupsList, function ($val) {

diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
index 9bde71c80ef19ff06c9a654b03fae4fa9204c3ea..201f67b533338057e13b405d611d21cd2c1b1ba6 100644 (file)
--- a/tests/Auth/OidcTest.php
+++ b/tests/Auth/OidcTest.php
@@ -849,6 +849,26 @@ class OidcTest extends TestCase
         $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
     }
 
+    public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
+    {
+        config()->set([
+            'oidc.user_to_groups'     => true,
+            'oidc.groups_claim'       => 'groups',
+            'oidc.remove_from_groups' => false,
+        ]);
+
+        $this->post('/oidc/login');
+        $state = session()->get('oidc_state');
+        $client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
+            'groups' => [],
+        ])]);
+
+        $resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
+        $resp->assertRedirect('/');
+        $this->assertEquals(1, $client->requestCount());
+        $this->assertTrue(auth()->check());
+    }
+
     protected function withAutodiscovery(): void
     {
         config()->set([