SSO: Use client specific user roles

AOEpeople · Sep 11, 2024 · dc4e13a · dc4e13a
1 parent 62e4a0e
commit dc4e13a
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 12 deletions.
diff --git a/config/services.yaml b/config/services.yaml
@@ -283,6 +283,11 @@ services:
       $logoutUrl: '%app.idp.endpoint.logout%'
       $baseUri: '%app.base_url%'
 
+  mealz.oauthuserprovider: '@App\Mealz\UserBundle\Provider\OAuthUserProvider'
+  App\Mealz\UserBundle\Provider\OAuthUserProvider:
+    arguments:
+      $authClientID: '%app.idp.client_id%'
+
   App\Mealz\UserBundle\Repository\ProfileRepository:
     arguments:
       $entityClass: App\Mealz\UserBundle\Entity\Profile

diff --git a/src/Mealz/UserBundle/Provider/OAuthUserProvider.php b/src/Mealz/UserBundle/Provider/OAuthUserProvider.php
@@ -38,13 +38,11 @@ class OAuthUserProvider implements UserProviderInterface, OAuthAwareUserProvider
         'aoe_employee' => self::ROLE_USER,
     ];
 
-    private EntityManagerInterface $entityManager;
-    private RoleRepositoryInterface $roleRepo;
-
-    public function __construct(EntityManagerInterface $entityManager, RoleRepositoryInterface $roleRepo)
-    {
-        $this->entityManager = $entityManager;
-        $this->roleRepo = $roleRepo;
+    public function __construct(
+        private string $authClientID,
+        private EntityManagerInterface $entityManager,
+        private RoleRepositoryInterface $roleRepo
+    ) {
     }
 
     public function loadUserByIdentifier(string $identifier): UserInterface
@@ -69,8 +67,10 @@ public function loadUserByOAuthUserResponse(UserResponseInterface $response): Us
         $lastName = $response->getLastName() ?? '';
         $email = $response->getEmail();
 
-        $idpUserRoles = $response->getData()['roles'] ?? [];
-        $role = $this->toMealsRole($idpUserRoles);
+        $data = $response->getData();
+        $globalUserRoles = $data['roles'] ?? [];
+        $appUserRoles = $data['resource_access'][$this->authClientID]['roles'] ?? [];
+        $role = $this->toMealsRole(array_merge($globalUserRoles, $appUserRoles));
         $roles = (null === $role) ? [] : [$role];
 
         try {

diff --git a/src/Mealz/UserBundle/Resources/config/services.yml b/src/Mealz/UserBundle/Resources/config/services.yml
@@ -1,4 +1,2 @@
 services:
-    mealz.oauthuserprovider:
-        alias: App\Mealz\UserBundle\Provider\OAuthUserProvider
-
+  # Deprecated, do not define any services here. Use services.yaml in root level config directory instead.