From c80df89e72ce532328ee7a61d4f6d00566a09ce5 Mon Sep 17 00:00:00 2001
From: Andrey Igoshin <ai@vsu.ru>
Date: Wed, 12 Feb 2025 12:53:35 +0300
Subject: [PATCH] oidc custom claim role support

---
 app/controllers/external_controller.rb | 14 ++++++++++++++
 config/initializers/omniauth.rb        |  5 +++--
 sample.env                             |  3 +++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/app/controllers/external_controller.rb b/app/controllers/external_controller.rb
index d552dae03a..f0e80d7267 100644
--- a/app/controllers/external_controller.rb
+++ b/app/controllers/external_controller.rb
@@ -158,6 +158,19 @@ def extract_meeting_id
     meeting_id
   end
 
+  def extract_role(credentials)
+    custom_claim = ENV.fetch('OPENID_CONNECT_CUSTOM_CLAIM', 'org_details')
+    roles = ENV.fetch('OPENID_CONNECT_CUSTOM_CLAIM_ROLE', 'roles')
+    if credentials.dig('extra', 'raw_info', custom_claim)&.key?(roles)
+      role_name = credentials['extra']['raw_info'][custom_claim][roles]
+      if !role_name.blank?
+        role = Role.find_by(name: role_name, provider: current_provider)
+        return role if !role.blank?
+      end
+    end
+    return default_role
+  end
+
   def valid_invite_token(email:)
     token = cookies[:inviteToken]
 
@@ -171,6 +184,7 @@ def build_user_info(credentials)
     {
       name: credentials['info']['name'],
       email: credentials['info']['email'],
+      role: extract_role(credentials),
       language: extract_language_code(credentials['info']['locale']),
       external_id: credentials['uid'],
       verified: true
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 7d0a0cb7c9..6e3cb2950b 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -18,6 +18,7 @@
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   issuer = ENV.fetch('OPENID_CONNECT_ISSUER', '')
+  custom_scope = ENV.fetch('OPENID_CONNECT_CUSTOM_SCOPE', '')
   lb = ENV.fetch('LOADBALANCER_ENDPOINT', '')
 
   if lb.present?
@@ -28,7 +29,7 @@
       issuer_url = File.join issuer.to_s, "/#{current_provider}"
 
       env['omniauth.strategy'].options[:issuer] = issuer_url
-      env['omniauth.strategy'].options[:scope] = %i[openid email profile]
+      env['omniauth.strategy'].options[:scope] = %i[openid email profile] + (!custom_scope.empty? ? [custom_scope.to_sym] : [])
       env['omniauth.strategy'].options[:uid_field] = ENV.fetch('OPENID_CONNECT_UID_FIELD', 'sub')
       env['omniauth.strategy'].options[:discovery] = true
       env['omniauth.strategy'].options[:client_options].identifier = ENV.fetch('OPENID_CONNECT_CLIENT_ID')
@@ -45,7 +46,7 @@
   elsif issuer.present?
     provider :openid_connect,
              issuer:,
-             scope: %i[openid email profile],
+             scope: %i[openid email profile] + (!custom_scope.empty? ? [custom_scope.to_sym] : []),
              uid_field: ENV.fetch('OPENID_CONNECT_UID_FIELD', 'sub'),
              discovery: true,
              client_options: {
diff --git a/sample.env b/sample.env
index 0bf0fff5b6..7ff39f90c7 100644
--- a/sample.env
+++ b/sample.env
@@ -46,6 +46,9 @@ REDIS_URL=
 #OPENID_CONNECT_ISSUER=
 #OPENID_CONNECT_REDIRECT=
 #OPENID_CONNECT_UID_FIELD=sub
+#OPENID_CONNECT_CUSTOM_SCOPE="org_profile"
+#OPENID_CONNECT_CUSTOM_CLAIM="org_details"
+#OPENID_CONNECT_CUSTOM_CLAIM_ROLE="roles"
 
 # Uncomment the following flag if you want to use EMAIL as a Unique ID backup, useful for setups with existing users who want to switch to an IDP setup.
 # More information: https://github.com/bigbluebutton/greenlight/issues/5872