feat: Allow changing the 'group' oidc claim field (#6546)

* feat: Allow changing the 'group' oidc claim field * Enable empty groups support * fix: Delete was wiping all groups, not just the single user's groups * Update docs * fix: Dbfake delete group member fixed
2025-07-06 15:41:45 +00:00 · 2023-03-09 23:31:38 -06:00
parent 11a930e779
commit 7f25d31745
14 changed files with 170 additions and 46 deletions
--- a/enterprise/coderd/userauth_test.go
+++ b/enterprise/coderd/userauth_test.go
@ -8,9 +8,11 @@ import (
 	"testing"

 	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
@ -28,7 +30,10 @@ func TestUserOIDC(t *testing.T) {
 			ctx, _ := testutil.Context(t)
 			conf := coderdtest.NewOIDCConfig(t, "")

-			config := conf.OIDCConfig(t, jwt.MapClaims{})
+			const groupClaim = "custom-groups"
+			config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
+				cfg.GroupField = groupClaim
+			})
 			config.AllowSignups = true

 			client := coderdenttest.New(t, &coderdenttest.Options{
@ -53,8 +58,8 @@ func TestUserOIDC(t *testing.T) {
 			require.Len(t, group.Members, 0)

 			resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
-				"email":  "colin@coder.com",
-				"groups": []string{groupName},
+				"email":    "colin@coder.com",
+				groupClaim: []string{groupName},
 			}))
 			assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)

@ -62,6 +67,72 @@ func TestUserOIDC(t *testing.T) {
 			require.NoError(t, err)
 			require.Len(t, group.Members, 1)
 		})
+		t.Run("AddThenRemove", func(t *testing.T) {
+			t.Parallel()
+
+			ctx, _ := testutil.Context(t)
+			conf := coderdtest.NewOIDCConfig(t, "")
+
+			config := conf.OIDCConfig(t, jwt.MapClaims{})
+			config.AllowSignups = true
+
+			client := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					OIDCConfig: config,
+				},
+			})
+			firstUser := coderdtest.CreateFirstUser(t, client)
+			coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+				AllFeatures: true,
+			})
+
+			// Add some extra users/groups that should be asserted after.
+			// Adding this user as there was a bug that removing 1 user removed
+			// all users from the group.
+			_, extra := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID)
+			groupName := "bingbong"
+			group, err := client.CreateGroup(ctx, firstUser.OrganizationID, codersdk.CreateGroupRequest{
+				Name: groupName,
+			})
+			require.NoError(t, err, "create group")
+
+			group, err = client.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{
+				AddUsers: []string{
+					firstUser.UserID.String(),
+					extra.ID.String(),
+				},
+			})
+			require.NoError(t, err, "patch group")
+			require.Len(t, group.Members, 2, "expect both members")
+
+			// Now add OIDC user into the group
+			resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
+				"email":  "colin@coder.com",
+				"groups": []string{groupName},
+			}))
+			assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+
+			group, err = client.Group(ctx, group.ID)
+			require.NoError(t, err)
+			require.Len(t, group.Members, 3)
+
+			// Login to remove the OIDC user from the group
+			resp = oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
+				"email":  "colin@coder.com",
+				"groups": []string{},
+			}))
+			assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+
+			group, err = client.Group(ctx, group.ID)
+			require.NoError(t, err)
+			require.Len(t, group.Members, 2)
+			var expected []uuid.UUID
+			for _, mem := range group.Members {
+				expected = append(expected, mem.ID)
+			}
+			require.ElementsMatchf(t, expected, []uuid.UUID{firstUser.UserID, extra.ID}, "expected members")
+		})
+
 		t.Run("NoneMatch", func(t *testing.T) {
 			t.Parallel()