cameleer/cameleer-server
1
0
Fork 0
Code Issues 44 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: apply defaultRoles fallback when no claim mapping rules match
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m19s
Details
CI / docker (push) Successful in 1m3s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 36s
Details

Browse Source 
When no claim mapping rules are configured or none match the JWT
claims, fall back to assigning the OidcConfig.defaultRoles (e.g.
VIEWER). This restores the behavior that was lost when syncOidcRoles
was replaced with claim mapping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-08 11:33:24 +02:00
parent 9af0043915
commit 529e2c727c
1 changed files with 38 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
View File

@@ -156,7 +156,7 @@ public class OidcAuthController {
userId, provider, oidcUser.email(), oidcUser.name(), Instant.now())); userId, provider, oidcUser.email(), oidcUser.name(), Instant.now()));
// Apply claim mapping rules to assign managed roles/groups from JWT claims // Apply claim mapping rules to assign managed roles/groups from JWT claims
applyClaimMappings(userId, oidcUser.allClaims()); applyClaimMappings(userId, oidcUser.allClaims(), config.get());
List<String> roles = rbacService.getSystemRoleNames(userId); List<String> roles = rbacService.getSystemRoleNames(userId);
@@ -180,16 +180,14 @@ public class OidcAuthController {
} }
} }
private void applyClaimMappings(String userId, Map<String, Object> claims) { private void applyClaimMappings(String userId, Map<String, Object> claims, OidcConfig oidcConfig) {
List<ClaimMappingRule> rules = claimMappingRepository.findAll(); List<ClaimMappingRule> rules = claimMappingRepository.findAll();
if (rules.isEmpty()) {
log.debug("No claim mapping rules configured, skipping for user {}", userId);
return;
}
rbacService.clearManagedAssignments(userId); rbacService.clearManagedAssignments(userId);
List<ClaimMappingService.MappingResult> results = claimMappingService.evaluate(rules, claims); List<ClaimMappingService.MappingResult> results = List.of();
if (!rules.isEmpty()) {
results = claimMappingService.evaluate(rules, claims);
for (var result : results) { for (var result : results) {
ClaimMappingRule rule = result.rule(); ClaimMappingRule rule = result.rule();
switch (rule.action()) { switch (rule.action()) {
@@ -216,5 +214,20 @@ public class OidcAuthController {
} }
} }
// Fallback: if no mapping rules matched, assign defaultRoles from OIDC config
if (results.isEmpty()) {
List<String> defaultRoles = oidcConfig.defaultRoles();
if (defaultRoles != null && !defaultRoles.isEmpty()) {
for (String roleName : defaultRoles) {
UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
if (roleId != null) {
rbacService.assignRoleToUser(userId, roleId);
log.debug("Default role {} assigned to {} (no claim mapping matched)", roleName, userId);
}
}
}
}
}
public record CallbackRequest(String code, String redirectUri) {} public record CallbackRequest(String code, String redirectUri) {}
} }