From e7b3c48ff48bd7cfb206c32ea97862b757057573 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Fri, 7 Mar 2025 14:38:33 +0100
Subject: [PATCH] fix: don't throw error if group claim is missing

---
 .../oauth/provider/genericOidc.provider.ts    | 37 ++++++++-----------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/backend/src/oauth/provider/genericOidc.provider.ts b/backend/src/oauth/provider/genericOidc.provider.ts
index e6a45ae..8c94571 100644
--- a/backend/src/oauth/provider/genericOidc.provider.ts
+++ b/backend/src/oauth/provider/genericOidc.provider.ts
@@ -147,38 +147,33 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
 
     if (roleConfig?.path) {
       // A path to read roles from the token is configured
-      let roles: string[] | null;
+      let roles: string[] = [];
       try {
         roles = jmespath.search(idTokenData, roleConfig.path);
       } catch (e) {
-        roles = null;
-      }
-      if (Array.isArray(roles)) {
-        // Roles are found in the token
-        if (
-          roleConfig.generalAccess &&
-          !roles.includes(roleConfig.generalAccess)
-        ) {
-          // Role for general access is configured and the user does not have it
-          this.logger.error(
-            `User roles ${roles} do not include ${roleConfig.generalAccess}`,
-          );
-          throw new ErrorPageException("user_not_allowed");
-        }
-        if (roleConfig.adminAccess) {
-          // Role for admin access is configured
-          isAdmin = roles.includes(roleConfig.adminAccess);
-        }
-      } else {
-        this.logger.error(
+        this.logger.warn(
           `Roles not found at path ${roleConfig.path} in ID Token ${JSON.stringify(
             idTokenData,
             undefined,
             2,
           )}`,
         );
+      }
+
+      if (
+        roleConfig.generalAccess &&
+        !roles.includes(roleConfig.generalAccess)
+      ) {
+        // Role for general access is configured and the user does not have it
+        this.logger.error(
+          `User roles ${roles} do not include ${roleConfig.generalAccess}`,
+        );
         throw new ErrorPageException("user_not_allowed");
       }
+      if (roleConfig.adminAccess) {
+        // Role for admin access is configured
+        isAdmin = roles.includes(roleConfig.adminAccess);
+      }
     }
 
     if (!username) {