Commit f00222eb authored by Sebastian Poxhofer's avatar Sebastian Poxhofer Committed by Alex Pooley

Add group memberships to oidc id_token endpoint response

parent 9e0fc449
......@@ -57,7 +57,8 @@ Doorkeeper::OpenidConnect.configure do
o.claim(:website) { |user| user.full_website_url if user.website_url? }
o.claim(:profile) { |user| Gitlab::Routing.url_helpers.user_url user }
o.claim(:picture) { |user| user.avatar_url(only_path: false) }
o.claim(:groups) { |user| user.membership_groups.map(&:full_path) }
o.claim(:groups) { |user| user.membership_groups.joins(:route).with_route.map(&:full_path) }
o.claim(:groups_direct, response: [:id_token]) { |user| user.groups.joins(:route).with_route.map(&:full_path) }
end
end
end
......@@ -49,6 +49,7 @@ The following user information is shared with clients:
| `website` | `string` | URL for the user's website
| `profile` | `string` | URL for the user's GitLab profile
| `picture` | `string` | URL for the user's GitLab avatar
| `groups` | `array` | Names of the groups the user is a member of
| `groups` | `array` | Paths for the groups the user is a member of, either directly or through an ancestor group.
| `groups_direct` | `array` | Paths for the groups the user is a direct member of.
The claims `sub`, `sub_legacy`, `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
......@@ -149,7 +149,15 @@ RSpec.describe 'OpenID Connect requests' do
end
context 'ID token payload' do
let!(:group1) { create :group }
let!(:group2) { create :group }
let!(:group3) { create :group, parent: group2 }
let!(:group4) { create :group, parent: group3 }
before do
group1.add_user(user, Gitlab::Access::OWNER)
group3.add_user(user, Gitlab::Access::DEVELOPER)
request_access_token!
@payload = JSON::JWT.decode(json_response['id_token'], :skip_verification)
end
......@@ -175,7 +183,12 @@ RSpec.describe 'OpenID Connect requests' do
end
it 'does not include any unknown properties' do
expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy email email_verified]
expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy email email_verified groups_direct]
end
it 'does include groups' do
expected_groups = [group1.full_path, group3.full_path]
expect(@payload['groups_direct']).to match_array(expected_groups)
end
end
......@@ -331,7 +344,15 @@ RSpec.describe 'OpenID Connect requests' do
end
context 'ID token payload' do
let!(:group1) { create :group }
let!(:group2) { create :group }
let!(:group3) { create :group, parent: group2 }
let!(:group4) { create :group, parent: group3 }
before do
group1.add_user(user, Gitlab::Access::OWNER)
group3.add_user(user, Gitlab::Access::DEVELOPER)
request_access_token!
@payload = JSON::JWT.decode(json_response['id_token'], :skip_verification)
end
......@@ -343,6 +364,11 @@ RSpec.describe 'OpenID Connect requests' do
it 'has true in email_verified claim' do
expect(@payload['email_verified']).to eq(true)
end
it 'does include groups' do
expected_groups = [group1.full_path, group3.full_path]
expect(@payload['groups_direct']).to match_array(expected_groups)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment