groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-03-01 05:29:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

OIDC: Support object-shaped and string group claims

Browse source 
The group claim was assumed to always be an array, which crashes with
providers like Zitadel that return an object with role names as keys
(e.g. { "admin": {...}, "user": {...} }). Normalize all common formats:
array, single string, and object (extract keys).

Fixes #4744
This commit is contained in:
Denis Arnst 2026-02-12 13:25:56 +01:00
parent 84b3d4d215
commit 67f8eb6815
No known key found for this signature in database
GPG key ID: D5866C58940197BF
2 changed files with 73 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

17
server/auth/OidcAuthStrategy.js
View file

@ -248,7 +248,22 @@ class OidcAuthStrategy {
if (!userinfo[groupClaimName]) throw new AuthError(`Group claim ${groupClaimName} not found in userinfo`, 401)
const groupsList = userinfo[groupClaimName].map((group) => group.toLowerCase())
const rawGroups = userinfo[groupClaimName]
// Normalize group claim formats across providers:
// - Array of strings (Keycloak, Auth0): ["admin", "user"]
// - Single string (some providers with one group): "admin"
// - Object with role keys (Zitadel): { "admin": {...}, "user": {...} }
let groups
if (Array.isArray(rawGroups)) {
groups = rawGroups
} else if (typeof rawGroups === 'string') {
groups = [rawGroups]
} else if (typeof rawGroups === 'object' && rawGroups !== null) {
groups = Object.keys(rawGroups)
} else {
throw new AuthError(`Group claim ${groupClaimName} has unsupported format: ${typeof rawGroups}`, 401)
}
const groupsList = groups.map((group) => group.toLowerCase())
const rolesInOrderOfPriority = ['admin', 'user', 'guest']
const groupMap = global.ServerSettings.authOpenIDGroupMap || {}