From 3648132aa4c820481bb08ed70f9cdc298d0406bc Mon Sep 17 00:00:00 2001
From: Steven Bal <steven@maykinmedia.nl>
Date: Tue, 9 Jan 2024 11:42:20 +0100
Subject: [PATCH 1/2] :recycle: [#76] Make groups_claim optional

to make it possible to disable group assignment
---
 ..._alter_openidconnectconfig_groups_claim.py | 23 +++++++++++++++++++
 mozilla_django_oidc_db/models.py              |  1 +
 2 files changed, 24 insertions(+)
 create mode 100644 mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py

diff --git a/mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py b/mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py
new file mode 100644
index 0000000..8240ed0
--- /dev/null
+++ b/mozilla_django_oidc_db/migrations/0014_alter_openidconnectconfig_groups_claim.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.23 on 2024-01-09 10:38
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("mozilla_django_oidc_db", "0013_merge_20231221_1529"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="openidconnectconfig",
+            name="groups_claim",
+            field=models.CharField(
+                blank=True,
+                default="roles",
+                help_text="The name of the OIDC claim that holds the values to map to local user groups.",
+                max_length=50,
+                verbose_name="groups claim",
+            ),
+        ),
+    ]
diff --git a/mozilla_django_oidc_db/models.py b/mozilla_django_oidc_db/models.py
index 4e2041f..c404e83 100644
--- a/mozilla_django_oidc_db/models.py
+++ b/mozilla_django_oidc_db/models.py
@@ -257,6 +257,7 @@ class OpenIDConnectConfig(CachingMixin, OpenIDConnectConfigBase):
         help_text=_(
             "The name of the OIDC claim that holds the values to map to local user groups."
         ),
+        blank=True,
     )
     sync_groups = models.BooleanField(
         _("Create local user groups if they do not exist yet"),

From 3876aec1ffe6adb65292b05f913e2ad060995bb7 Mon Sep 17 00:00:00 2001
From: Steven Bal <steven@maykinmedia.nl>
Date: Tue, 9 Jan 2024 11:53:53 +0100
Subject: [PATCH 2/2] :white_check_mark: [#76] Add test for empty groups_claim

---
 tests/test_backend.py | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/tests/test_backend.py b/tests/test_backend.py
index ecceadd..6e56b36 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -357,6 +357,48 @@ def test_backend_create_user_sync_all_groups(mock_get_solo):
     ]
 
 
+@pytest.mark.django_db
+@patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
+def test_backend_create_user_no_groups_sync_without_groups_claim(mock_get_solo):
+    Group.objects.create(name="group1")
+    Group.objects.create(name="group2")
+
+    oidc_config = OpenIDConnectConfig(
+        id=1,
+        enabled=True,
+        oidc_rp_client_id="testid",
+        oidc_rp_client_secret="secret",
+        oidc_rp_sign_algo="HS256",
+        oidc_rp_scopes_list=["openid", "email"],
+        oidc_op_jwks_endpoint="http://some.endpoint/v1/jwks",
+        oidc_op_authorization_endpoint="http://some.endpoint/v1/auth",
+        oidc_op_token_endpoint="http://some.endpoint/v1/token",
+        oidc_op_user_endpoint="http://some.endpoint/v1/user",
+        groups_claim="",
+        sync_groups=True,
+        sync_groups_glob_pattern="*",
+    )
+    # Explicitly set to none
+    oidc_config.default_groups.set(Group.objects.none())
+    mock_get_solo.return_value = oidc_config
+
+    claims = {
+        "sub": "123456",
+        "roles": ["group1", "newgroup"],
+    }
+
+    backend = OIDCAuthenticationBackend()
+
+    user = backend.create_user(claims)
+
+    # Verify that no groups were created
+    assert Group.objects.count() == 2
+
+    # Verify that a user is created with the correct values
+    assert user.username == "123456"
+    assert list(user.groups.values_list("name", flat=True)) == []
+
+
 @pytest.mark.django_db
 @patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
 def test_backend_create_user_sync_groups_according_to_pattern(mock_get_solo):