From a16da3bef30b26cbf813526dee817538b99d9d6e Mon Sep 17 00:00:00 2001
From: Dan <djr2468@gmail.com>
Date: Mon, 3 Apr 2023 21:30:28 +0100
Subject: Support providers who do not provide the groups scope

---
 src/main/java/org/traccar/config/Keys.java             |  6 +++---
 src/main/java/org/traccar/database/OpenIdProvider.java | 14 ++++++++++----
 2 files changed, 13 insertions(+), 7 deletions(-)

(limited to 'src/main')

diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 707e9e815..3ff423ad1 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -665,12 +665,12 @@ public final class Keys {
 
     /**
      * OpenID Connect group to grant admin access.
-     * Defaults to admins.
+     * If this is not provided, no groups will be granted admin access.
+     * This option will only work if your OpenID provider supports the groups scope.
      */
     public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey(
             "openid.adminGroup",
-            List.of(KeyType.CONFIG),
-            "admins");
+            List.of(KeyType.CONFIG));
 
     /**
      * If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index f5c7eef15..537319b31 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -94,9 +94,15 @@ public class OpenIdProvider {
     }
 
     public URI createAuthUri() {
+        Scope scope = new Scope("openid", "profile", "email");
+
+        if (adminGroup != null) {
+            scope.add("groups");
+        }
+
         AuthenticationRequest.Builder request = new AuthenticationRequest.Builder(
                 new ResponseType("code"),
-                new Scope("openid", "profile", "email", "groups"),
+                scope,
                 clientId,
                 callbackUrl);
 
@@ -156,9 +162,9 @@ public class OpenIdProvider {
 
             UserInfo userInfo = getUserInfo(bearerToken);
 
-            User user = loginService.login(
-                userInfo.getEmailAddress(), userInfo.getName(),
-                userInfo.getStringListClaim("groups").contains(adminGroup));
+            Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+
+            User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);
 
             request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId());
             LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));
-- 
cgit v1.2.3