fix: Always request oidc roles from token

Entire-Checkpoint: bfdbffd7aae0
fix: allow all role changes on SyncUser and UpdateUser callback
2026-04-01 13:37:30 +02:00 · 2026-04-01 12:36:37 +02:00 · 2026-04-01 11:09:50 +02:00 · 2026-04-01 11:03:19 +02:00
2 changed files with 63 additions and 16 deletions
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -79,7 +79,7 @@ func NewOIDC(a *Authentication) *OIDC {
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "profile"},
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "roles"},
 	}
 	oa := &OIDC{provider: provider, client: client, clientID: clientID, authentication: a}
@@ -164,34 +164,65 @@ func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
 	projects := make([]string, 0)
-	// Extract custom claims from userinfo
+	// Extract profile claims from userinfo (username, name)
-	var claims struct {
+	var userInfoClaims struct {
 		Username string `json:"preferred_username"`
 		Name     string `json:"name"`
 	}
 	if err := userInfo.Claims(&userInfoClaims); err != nil {
 		cclog.Errorf("failed to extract userinfo claims: %s", err.Error())
 		http.Error(rw, "Failed to extract user claims", http.StatusInternalServerError)
 		return
 	}
 	// Extract role claims from the ID token.
 	// Keycloak includes realm_access and resource_access in the ID token (JWT),
 	// but NOT in the UserInfo endpoint response by default.
 	var idTokenClaims struct {
 		Username string `json:"preferred_username"`
 		Name     string `json:"name"`
 		// Keycloak realm-level roles
 		RealmAccess struct {
 			Roles []string `json:"roles"`
 		} `json:"realm_access"`
-		// Keycloak client-level roles
+		// Keycloak client-level roles: map from client-id to role list
-		ResourceAccess struct {
+		ResourceAccess map[string]struct {
 			Client struct {
 			Roles []string `json:"roles"`
 			} `json:"clustercockpit"`
 		} `json:"resource_access"`
 	}
-	if err := userInfo.Claims(&claims); err != nil {
+	if err := idToken.Claims(&idTokenClaims); err != nil {
-		cclog.Errorf("failed to extract claims: %s", err.Error())
+		cclog.Errorf("failed to extract ID token claims: %s", err.Error())
-		http.Error(rw, "Failed to extract user claims", http.StatusInternalServerError)
+		http.Error(rw, "Failed to extract ID token claims", http.StatusInternalServerError)
 		return
 	}
-	if claims.Username == "" {
+	cclog.Debugf("OIDC userinfo claims: username=%q name=%q", userInfoClaims.Username, userInfoClaims.Name)
 	cclog.Debugf("OIDC ID token realm_access roles: %v", idTokenClaims.RealmAccess.Roles)
 	cclog.Debugf("OIDC ID token resource_access: %v", idTokenClaims.ResourceAccess)
 	// Prefer username from userInfo; fall back to ID token claim
 	username := userInfoClaims.Username
 	if username == "" {
 		username = idTokenClaims.Username
 	}
 	name := userInfoClaims.Name
 	if name == "" {
 		name = idTokenClaims.Name
 	}
 	if username == "" {
 		http.Error(rw, "Username claim missing from OIDC provider", http.StatusBadRequest)
 		return
 	}
-	// Merge roles from both client-level and realm-level access
+	// Collect roles from realm_access (realm roles) in the ID token
-	oidcRoles := append(claims.ResourceAccess.Client.Roles, claims.RealmAccess.Roles...)
+	oidcRoles := append([]string{}, idTokenClaims.RealmAccess.Roles...)
 	// Also collect roles from resource_access (client roles) for all clients
 	for clientID, access := range idTokenClaims.ResourceAccess {
 		cclog.Debugf("OIDC ID token resource_access[%q] roles: %v", clientID, access.Roles)
 		oidcRoles = append(oidcRoles, access.Roles...)
 	}
 	roleSet := make(map[string]bool)
 	for _, r := range oidcRoles {
@@ -217,8 +248,8 @@ func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
 	}
 	user := &schema.User{
-		Username:   claims.Username,
+		Username:   username,
-		Name:       claims.Name,
+		Name:       name,
 		Roles:      roles,
 		Projects:   projects,
 		AuthSource: schema.AuthViaOIDC,
--- a/internal/repository/user.go
+++ b/internal/repository/user.go
@@ -14,6 +14,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -210,6 +211,12 @@ func (r *UserRepository) AddUserIfNotExists(user *schema.User) error {
 	return err
 }
 func sortedRoles(roles []string) []string {
 	cp := append([]string{}, roles...)
 	sort.Strings(cp)
 	return cp
 }
 func (r *UserRepository) UpdateUser(dbUser *schema.User, user *schema.User) error {
 	// user contains updated info -> Apply to dbUser
 	// --- Simple Name Update ---
@@ -279,6 +286,15 @@ func (r *UserRepository) UpdateUser(dbUser *schema.User, user *schema.User) erro
 		}
 	}
 	// --- Fallback: sync any remaining role differences not covered above ---
 	// This handles admin role assignment/removal and any other combinations that
 	// the specific branches above do not cover (e.g. user→admin, admin→user).
 	if !reflect.DeepEqual(sortedRoles(dbUser.Roles), sortedRoles(user.Roles)) {
 		if err := updateRoles(user.Roles); err != nil {
 			return err
 		}
 	}
 	return nil
 }
Author	SHA1	Message	Date
Jan Eitzinger	31a8a11f1b	fix: Always request oidc roles from token Entire-Checkpoint: bfdbffd7aae0	2026-04-01 12:36:37 +02:00
Jan Eitzinger	84fe61b3e0	fix: allow all role changes on SyncUser and UpdateUser callback Entire-Checkpoint: 496bace0120e	2026-04-01 11:09:50 +02:00
Jan Eitzinger	1f04e0a1ce	fix: oidc role extraction Entire-Checkpoint: bbe9ad3cf817	2026-04-01 11:03:19 +02:00