Merge branch 'feat/add_groups_key_to_token_id_requests' into 'master'

Add group memberships to oidc id_token endpoint response

See merge request gitlab-org/gitlab!68354

config/initializers/doorkeeper_openid_connect.rb

@@ -57,7 +57,8 @@ Doorkeeper::OpenidConnect.configure do
       o.claim(:website)        { |user| user.full_website_url if user.website_url? }
       o.claim(:profile)        { |user| Gitlab::Routing.url_helpers.user_url user }
       o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
-      o.claim(:groups)         { |user| user.membership_groups.map(&:full_path) }
+      o.claim(:groups)         { |user| user.membership_groups.joins(:route).with_route.map(&:full_path) }
+      o.claim(:groups_direct, response: [:id_token]) { |user| user.groups.joins(:route).with_route.map(&:full_path) }
     end
   end
 end

doc/integration/openid_connect_provider.md

@@ -49,6 +49,7 @@ The following user information is shared with clients:
 | `website`        | `string`  | URL for the user's website
 | `profile`        | `string`  | URL for the user's GitLab profile
 | `picture`        | `string`  | URL for the user's GitLab avatar
-| `groups`         | `array`   | Names of the groups the user is a member of
+| `groups`         | `array`   | Paths for the groups the user is a member of, either directly or through an ancestor group.
+| `groups_direct`  | `array`   | Paths for the groups the user is a direct member of.
 
-The claims `sub`, `sub_legacy`, `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
+The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.

spec/requests/openid_connect_spec.rb

@@ -149,7 +149,15 @@ RSpec.describe 'OpenID Connect requests' do
     end
 
     context 'ID token payload' do
+      let!(:group1) { create :group }
+      let!(:group2) { create :group }
+      let!(:group3) { create :group, parent: group2 }
+      let!(:group4) { create :group, parent: group3 }
+
       before do
+        group1.add_user(user, Gitlab::Access::OWNER)
+        group3.add_user(user, Gitlab::Access::DEVELOPER)
+
         request_access_token!
         @payload = JSON::JWT.decode(json_response['id_token'], :skip_verification)
       end
@@ -175,7 +183,12 @@ RSpec.describe 'OpenID Connect requests' do
       end
 
       it 'does not include any unknown properties' do
-        expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy email email_verified]
+        expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy email email_verified groups_direct]
+      end
+
+      it 'does include groups' do
+        expected_groups = [group1.full_path, group3.full_path]
+        expect(@payload['groups_direct']).to match_array(expected_groups)
       end
     end
 
@@ -331,7 +344,15 @@ RSpec.describe 'OpenID Connect requests' do
     end
 
     context 'ID token payload' do
+      let!(:group1) { create :group }
+      let!(:group2) { create :group }
+      let!(:group3) { create :group, parent: group2 }
+      let!(:group4) { create :group, parent: group3 }
+
       before do
+        group1.add_user(user, Gitlab::Access::OWNER)
+        group3.add_user(user, Gitlab::Access::DEVELOPER)
+
         request_access_token!
         @payload = JSON::JWT.decode(json_response['id_token'], :skip_verification)
       end
@@ -343,6 +364,11 @@ RSpec.describe 'OpenID Connect requests' do
       it 'has true in email_verified claim' do
         expect(@payload['email_verified']).to eq(true)
       end
+
+      it 'does include groups' do
+        expected_groups = [group1.full_path, group3.full_path]
+        expect(@payload['groups_direct']).to match_array(expected_groups)
+      end
     end
   end
 end