Merge pull request #1149 from andreblanke/feat/nested-group-claim

Support nested claim mapping for groups attribute

Author: julien-nc

lib/Service/ProvisioningService.php

@@ -62,9 +62,9 @@ public function hasOidcUserProvisitioned(string $userId): bool {
 
 	/**
 	 * Resolves a claim path like "custom.nickname" or multiple alternatives separated by "|".
-	 * Returns the first found string value, or null if none could be resolved.
+	 * Returns the first found value, or null if none could be resolved.
 	 */
-	public function getClaimValue(object|array $tokenPayload, string $claimPath, int $providerId): mixed {
+	public function getClaimValues(object|array $tokenPayload, string $claimPath, int $providerId): mixed {
 		if ($claimPath === '') {
 			return null;
 		}
@@ -99,14 +99,21 @@ public function getClaimValue(object|array $tokenPayload, string $claimPath, int
 				}
 			}
 
-			if (is_string($value)) {
-				return $value;
-			}
+			return $value;
 		}
 
 		return null;
 	}
 
+	/**
+	 * Resolves a claim path like "custom.nickname" or multiple alternatives separated by "|".
+	 * Returns the first found string value, or null if none could be resolved.
+	 */
+	public function getClaimValue(object|array $tokenPayload, string $claimPath, int $providerId): mixed {
+		$value = $this->getClaimValues($tokenPayload, $claimPath, $providerId);
+		return is_string($value) ? $value : null;
+	}
+
 	/**
 	 * @param string $tokenUserId
 	 * @param int $providerId
@@ -523,7 +530,7 @@ private function setUserAvatar(string $userId, string $avatarAttribute): void {
 
 	public function getSyncGroupsOfToken(int $providerId, object $idTokenPayload) {
 		$groupsAttribute = $this->providerService->getSetting($providerId, ProviderService::SETTING_MAPPING_GROUPS, 'groups');
-		$groupsData = $idTokenPayload->{$groupsAttribute} ?? null;
+		$groupsData = $this->getClaimValues($idTokenPayload, $groupsAttribute, $providerId);
 
 		$groupsWhitelistRegex = $this->getGroupWhitelistRegex($providerId);
 

tests/unit/Service/ProvisioningServiceTest.php

@@ -360,6 +360,7 @@ public function testProvisionUserGroups(string $gid, string $displayName, object
 				[
 					[$providerId, ProviderService::SETTING_GROUP_WHITELIST_REGEX, '', $group_whitelist],
 					[$providerId, ProviderService::SETTING_MAPPING_GROUPS, 'groups', 'groups'],
+					[$providerId, ProviderService::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING, '0', '0'],
 				]
 			));