Provide group membership level in OIDC claim

484e50b3 · Bastian Blank · Stan Hu · 70a1dc76 · 484e50b3 · 484e50b3
Commit 484e50b3 authored Mar 14, 2020 by Bastian Blank Committed by Stan Hu Dec 11, 2021
4 changed files
--- a/changelogs/unreleased/209975-oidc-claim-group-level.yml
+++ b/changelogs/unreleased/209975-oidc-claim-group-level.yml
+---
+title: Provide group membership level in OIDC claim
+merge_request: 27264
+author: Bastian Blank
+type: added
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -59,6 +59,15 @@ Doorkeeper::OpenidConnect.configure do
      o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
      o.claim(:groups)         { |user| user.membership_groups.joins(:route).with_route.map(&:full_path) }
      o.claim(:groups_direct, response: [:id_token]) { |user| user.groups.joins(:route).with_route.map(&:full_path) }
+      o.claim('https://gitlab.org/claims/groups/owner') do |user|
+        user.owned_groups.joins(:route).with_route.map(&:full_path).presence
+      end
+      o.claim('https://gitlab.org/claims/groups/maintainer') do |user|
+        user.maintainers_groups.joins(:route).with_route.map(&:full_path).presence
+      end
+      o.claim('https://gitlab.org/claims/groups/developer') do |user|
+        user.developer_groups.joins(:route).with_route.map(&:full_path).presence
+      end
    end
  end
 end
--- a/doc/integration/openid_connect_provider.md
+++ b/doc/integration/openid_connect_provider.md
@@ -51,5 +51,8 @@ The following user information is shared with clients:
 | `picture`        | `string`  | URL for the user's GitLab avatar
 | `groups`         | `array`   | Paths for the groups the user is a member of, either directly or through an ancestor group.
 | `groups_direct`  | `array`   | Paths for the groups the user is a direct member of.
+| `https://gitlab.org/claims/groups/owner`      | `array`   | Names of the groups the user is a direct member of with Owner role
+| `https://gitlab.org/claims/groups/maintainer` | `array`   | Names of the groups the user is a direct member of with Maintainer role
+| `https://gitlab.org/claims/groups/developer`  | `array`   | Names of the groups the user is a direct member of with Developer role

 The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
--- a/spec/requests/openid_connect_spec.rb
+++ b/spec/requests/openid_connect_spec.rb
@@ -37,7 +37,10 @@ RSpec.describe 'OpenID Connect requests' do
      'website'        => 'https://example.com',
      'profile'        => 'http://localhost/alice',
      'picture'        => "http://localhost/uploads/-/system/user/avatar/#{user.id}/dk.png",
-      'groups'         => kind_of(Array)
+      'groups'         => kind_of(Array),
+      'https://gitlab.org/claims/groups/owner'      => kind_of(Array),
+      'https://gitlab.org/claims/groups/maintainer' => kind_of(Array),
+      'https://gitlab.org/claims/groups/developer'  => kind_of(Array)
    }
  end

@@ -119,6 +122,7 @@ RSpec.describe 'OpenID Connect requests' do
      before do
        group1.add_user(user, GroupMember::OWNER)
        group3.add_user(user, Gitlab::Access::DEVELOPER)
+        group4.add_user(user, Gitlab::Access::MAINTAINER)

        request_user_info!
      end
@@ -129,6 +133,10 @@ RSpec.describe 'OpenID Connect requests' do
        expected_groups = [group1.full_path, group3.full_path]
        expected_groups << group4.full_path
        expect(json_response['groups']).to match_array(expected_groups)
+
+        expect(json_response['https://gitlab.org/claims/groups/owner']).to match_array([group1.full_path])
+        expect(json_response['https://gitlab.org/claims/groups/maintainer']).to match_array([group4.full_path])
+        expect(json_response['https://gitlab.org/claims/groups/developer']).to match_array([group3.full_path])
      end

      it 'does not include any unknown claims' do