Merge pull request #77 from maykinmedia/issue/76-groups-claim-optional

♻️ [#76] Make groups_claim optional
maykinmedia · Jan 11, 2024 · 8c99a6b · 8c99a6b
2 parents a570bd5 + 3876aec
commit 8c99a6b
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py b/mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.23 on 2024-01-09 10:38
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("mozilla_django_oidc_db", "0013_merge_20231221_1529"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="openidconnectconfig",
+            name="groups_claim",
+            field=models.CharField(
+                blank=True,
+                default="roles",
+                help_text="The name of the OIDC claim that holds the values to map to local user groups.",
+                max_length=50,
+                verbose_name="groups claim",
+            ),
+        ),
+    ]
diff --git a/mozilla_django_oidc_db/models.py b/mozilla_django_oidc_db/models.py
@@ -257,6 +257,7 @@ class OpenIDConnectConfig(CachingMixin, OpenIDConnectConfigBase):
         help_text=_(
             "The name of the OIDC claim that holds the values to map to local user groups."
         ),
+        blank=True,
     )
     sync_groups = models.BooleanField(
         _("Create local user groups if they do not exist yet"),

diff --git a/tests/test_backend.py b/tests/test_backend.py
@@ -357,6 +357,48 @@ def test_backend_create_user_sync_all_groups(mock_get_solo):
     ]
 
 
+@pytest.mark.django_db
+@patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
+def test_backend_create_user_no_groups_sync_without_groups_claim(mock_get_solo):
+    Group.objects.create(name="group1")
+    Group.objects.create(name="group2")
+
+    oidc_config = OpenIDConnectConfig(
+        id=1,
+        enabled=True,
+        oidc_rp_client_id="testid",
+        oidc_rp_client_secret="secret",
+        oidc_rp_sign_algo="HS256",
+        oidc_rp_scopes_list=["openid", "email"],
+        oidc_op_jwks_endpoint="http://some.endpoint/v1/jwks",
+        oidc_op_authorization_endpoint="http://some.endpoint/v1/auth",
+        oidc_op_token_endpoint="http://some.endpoint/v1/token",
+        oidc_op_user_endpoint="http://some.endpoint/v1/user",
+        groups_claim="",
+        sync_groups=True,
+        sync_groups_glob_pattern="*",
+    )
+    # Explicitly set to none
+    oidc_config.default_groups.set(Group.objects.none())
+    mock_get_solo.return_value = oidc_config
+
+    claims = {
+        "sub": "123456",
+        "roles": ["group1", "newgroup"],
+    }
+
+    backend = OIDCAuthenticationBackend()
+
+    user = backend.create_user(claims)
+
+    # Verify that no groups were created
+    assert Group.objects.count() == 2
+
+    # Verify that a user is created with the correct values
+    assert user.username == "123456"
+    assert list(user.groups.values_list("name", flat=True)) == []
+
+
 @pytest.mark.django_db
 @patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
 def test_backend_create_user_sync_groups_according_to_pattern(mock_get_solo):