From ce7ab72190f11d871cc7eadc68e95af52dfb6e1b Mon Sep 17 00:00:00 2001
From: christianmg99 <46071367+christianmg99@users.noreply.github.com>
Date: Mon, 22 Apr 2024 00:23:25 +0200
Subject: [PATCH] chg: [config] Allow Oidc roles as string

---
 app/Plugin/OidcAuth/Lib/Oidc.php | 10 +++++-----
 app/Plugin/OidcAuth/README.md    |  1 +
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/app/Plugin/OidcAuth/Lib/Oidc.php b/app/Plugin/OidcAuth/Lib/Oidc.php
index 8a5ad1fc7..aa4715d46 100644
--- a/app/Plugin/OidcAuth/Lib/Oidc.php
+++ b/app/Plugin/OidcAuth/Lib/Oidc.php
@@ -74,7 +74,6 @@ class Oidc
             return false;
         }
 
-        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
         $roleId = $this->getUserRole($roles, $mispUsername);
         if ($roleId === null) {
             $this->log($mispUsername, 'No role was assigned, access prohibited.', LOG_WARNING);
@@ -232,7 +231,6 @@ class Oidc
             return false;
         }
 
-        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
         $roleId = $this->getUserRole($roles, $user['email']);
         if ($roleId === null) {
             $this->log($user['email'], 'No role was assigned.', LOG_WARNING);
@@ -304,9 +302,10 @@ class Oidc
         $providerUrl = $this->getConfig('provider_url');
         $clientId = $this->getConfig('client_id');
         $clientSecret = $this->getConfig('client_secret');
+        $issuer = $this->getConfig('issuer', $providerUrl);
 
         if (class_exists("\JakubOnderka\OpenIDConnectClient")) {
-            $oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret);
+            $oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret, $issuer);
         } else if (class_exists("\Jumbojett\OpenIDConnectClient")) {
             throw new Exception("Jumbojett OIDC implementation is not supported anymore, please use JakubOnderka's client");
         } else {
@@ -444,12 +443,13 @@ class Oidc
     }
 
     /**
-     * @param array $roles Role list provided by OIDC
+     * @param array|string $roles Role list provided by OIDC
      * @param string $mispUsername
      * @return int|null Role ID or null if no role matches
      */
-    private function getUserRole(array $roles, $mispUsername)
+    private function getUserRole($roles, $mispUsername)
     {
+        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
         $this->log($mispUsername, 'Provided roles: ' . implode(', ', $roles));
         $roleMapper = $this->getConfig('role_mapper');
         if (!is_array($roleMapper)) {
diff --git a/app/Plugin/OidcAuth/README.md b/app/Plugin/OidcAuth/README.md
index f4e47fcd3..062a7491e 100644
--- a/app/Plugin/OidcAuth/README.md
+++ b/app/Plugin/OidcAuth/README.md
@@ -32,6 +32,7 @@ $config = array(
     ...
     'OidcAuth' = [
         'provider_url' => '{{ OIDC_PROVIDER }}',
+        'issuer' => '{{ OIDC_ISSUER }}', // If omitted, it defaults to provider_url
         'client_id' => '{{ OIDC_CLIENT_ID }}',
         'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
         'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user