feat: add support for groups when roles are missing

In practice not all OIDC providers expose roles. Some expose groups instead. We still prefer roles when possible, but fall back to groups. Alternatively a new type of user extractor would be required to be instroduced, effectively requiring to add a new config field for iam tenant configs.
metal-stack · Feb 7, 2025 · 121228c · 121228c
1 parent dffac7f
commit 121228c
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/genericOidc.go b/genericOidc.go
@@ -20,7 +20,8 @@ type GenericOIDCClaims struct {
 	Name              string   `json:"name"`
 	PreferredUsername string   `json:"preferred_username"`
 	EMail             string   `json:"email"`
-	Roles             []string `json:"roles"`
+	Roles             []string `json:"roles,omitempty"`
+	Groups            []string `json:"groups,omitempty"`
 }
 
 func (g *GenericOIDCClaims) Username() string {
@@ -30,6 +31,14 @@ func (g *GenericOIDCClaims) Username() string {
 	return g.Name
 }
 
+// Returns Roles and falls back to Groups if not set.
+func (g *GenericOIDCClaims) Memberships() []string {
+	if len(g.Roles) != 0 {
+		return g.Roles
+	}
+	return g.Groups
+}
+
 // GenericOIDC is Token Validator and UserGetter for Tokens issued by generic OIDC-Providers.
 type GenericOIDC struct {
 	issuerConfig    *IssuerConfig
@@ -154,7 +163,7 @@ func DefaultGenericUserExtractor(ic *IssuerConfig, claims *GenericOIDCClaims) (*
 		return nil, errors.New("claims is nil")
 	}
 	var grps []ResourceAccess
-	for _, g := range claims.Roles {
+	for _, g := range claims.Memberships() {
 		grps = append(grps, ResourceAccess(g))
 	}