From 72dd3c60c026faa36f4aaf58cf02480167d43e05 Mon Sep 17 00:00:00 2001
From: Joost Buskermolen <joostbuskermolen@hotmail.com>
Date: Thu, 25 Aug 2022 10:55:30 +0200
Subject: [PATCH] fix: Fallback when group claim is a string instead of an
 array of strings (#2639)

Signed-off-by: Joost Buskermolen <joost@buskervezel.nl>
Co-authored-by: Michiel van Pouderoijen <michiel@pouderoijen.nl>
---
 connector/oidc/oidc.go      |  5 +++++
 connector/oidc/oidc_test.go | 16 ++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index b4e67799..e345dca0 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -351,6 +351,11 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 			vs, found = claims[groupsKey].([]interface{})
 		}
 
+		// Fallback when claims[groupsKey] is a string instead of an array of strings.
+		if g, b := claims[groupsKey].(string); b {
+			groups = []string{g}
+		}
+
 		if found {
 			for _, v := range vs {
 				if s, ok := v.(string); ok {
diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go
index d8b30b39..d94af79d 100644
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@@ -271,6 +271,22 @@ func TestHandleCallback(t *testing.T) {
 				"cognito:groups": []string{"group3", "group4"},
 			},
 		},
+		{
+			name:               "singularGroupResponseAsString",
+			userIDKey:          "", // not configured
+			userNameKey:        "", // not configured
+			expectUserID:       "subvalue",
+			expectUserName:     "namevalue",
+			expectGroups:       []string{"group1"},
+			expectedEmailField: "emailvalue",
+			token: map[string]interface{}{
+				"sub":            "subvalue",
+				"name":           "namevalue",
+				"groups":         "group1",
+				"email":          "emailvalue",
+				"email_verified": true,
+			},
+		},
 	}
 
 	for _, tc := range tests {
-- 
GitLab