diff --git a/src/oidc.js b/src/oidc.js index 4eb024048..34f3f0a35 100644 --- a/src/oidc.js +++ b/src/oidc.js @@ -44,6 +44,7 @@ const assert = require('assert'), translations = require('./translations.js'), url = require('url'), users = require('./users.js'), + groups = require('./groups.js'), util = require('util'); const OIDC_CLIENTS_TABLE_NAME = 'oidcClients'; @@ -719,6 +720,9 @@ async function claims(userId/*, use, scope*/) { const [error, user] = await safe(users.get(userId)); if (error) return { error: 'user not found' }; + const [groupsError, allGroups] = await safe(groups.listWithMembers()); + if (groupsError) return { error: groupsError.message } + const displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null const { firstName, lastName, middleName } = users.parseDisplayName(displayName); @@ -735,7 +739,8 @@ async function claims(userId/*, use, scope*/) { locale: 'en-US', name: user.displayName, picture: `https://${dashboardFqdn}/api/v1/profile/avatar/${user.id}`, - preferred_username: user.username + preferred_username: user.username, + groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; }) }; return claims; @@ -817,7 +822,8 @@ async function start() { }, claims: { email: ['email', 'email_verified'], - profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username', 'picture' ] + profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username', 'picture' ], + groups: [ 'groups' ] }, features: { rpInitiatedLogout: { enabled: false }, @@ -860,7 +866,7 @@ async function start() { accountId: ctx.oidc.session.accountId, }); - grant.addOIDCScope('openid email profile'); + grant.addOIDCScope('openid email profile groups'); // grant.addOIDCClaims(['first_name']); await grant.save();