From 95eb38828344995fa1a75a7367a80645ff14040a Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 09:20:37 +0200
Subject: [PATCH] fix: handle space-delimited scope string in OIDC role
 extraction

extractRoles() only handled List claims (JSON arrays). When rolesClaim
is configured as "scope", the JWT value is a space-delimited string,
which was silently returning [] and falling back to defaultRoles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../com/cameleer3/server/app/security/OidcTokenExchanger.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 44e9ed2d..0ec91097 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -185,6 +185,9 @@ public class OidcTokenExchanger {
         if (value instanceof List<?> list) {
             return list.stream().map(Object::toString).toList();
         }
+        if (value instanceof String s && !s.isBlank()) {
+            return List.of(s.split(" "));
+        }
         return Collections.emptyList();
     }