idp/oauth: update processing of cognito claims

See also: greenpau/caddy-security#302
greenpau · Dec 2, 2023 · 8eb4bfb · 8eb4bfb
1 parent 923da84
commit 8eb4bfb
Showing 1 changed file with 21 additions and 5 deletions.
diff --git a/pkg/idp/oauth/validator.go b/pkg/idp/oauth/validator.go
@@ -119,14 +119,27 @@ func (b *IdentityProvider) validateAccessToken(state string, data map[string]int
 	case "cognito":
 		if v, exists := data["id_token"]; exists {
 			if tp, err := kms.ParsePayloadFromToken(v.(string)); err == nil {
+				roles := []string{}
 				for k, val := range tp {
 					switch k {
-					case "custom:roles":
-						roles := []string{}
-						for _, roleName := range strings.Split(val.(string), "|") {
-							roles = append(roles, roleName)
+					case "custom:roles", "cognito:groups", "cognito:roles":
+						switch values := v.(type) {
+						case string:
+							if k == "custom:roles" {
+								for _, roleName := range strings.Split(val.(string), "|") {
+									roles = append(roles, roleName)
+								}
+							} else {
+								roles = append(roles, values)
+							}
+						case []interface{}:
+							for _, value := range values {
+								switch roleName := value.(type) {
+								case string:
+									roles = append(roles, roleName)
+								}
+							}
 						}
-						m["roles"] = roles
 					case "custom:timezone":
 						m["timezone"] = val.(string)
 					case "cognito:username":
@@ -135,6 +148,9 @@ func (b *IdentityProvider) validateAccessToken(state string, data map[string]int
 						m["timezone"] = val.(string)
 					}
 				}
+				if len(roles) > 0 {
+					m["roles"] = roles
+				}
 			}
 		}
 	}