reduce amount of const_cast

zvonand · zvonand · commit ab0b1fea51a5 · 2025-10-21T14:54:46.000+02:00
diff --git a/src/Access/ExternalAuthenticators.cpp b/src/Access/ExternalAuthenticators.cpp
@@ -602,7 +602,7 @@ HTTPAuthClientParams ExternalAuthenticators::getHTTPAuthenticationParams(const S
 }
 
 bool ExternalAuthenticators::checkCredentialsAgainstProcessor(const ITokenProcessor & processor,
-                                                              const TokenCredentials & credentials) const
+                                                              TokenCredentials & credentials) const
 {
     if (processor.resolveAndValidate(credentials))
     {
@@ -675,12 +675,12 @@ bool ExternalAuthenticators::checkTokenCredentials(const TokenCredentials & cred
     {
         for (const auto & it: token_processors)
         {
-            if (checkCredentialsAgainstProcessor(*it.second, credentials))
+            if (checkCredentialsAgainstProcessor(*it.second, const_cast<TokenCredentials &>(credentials)))
                 return true;
         }
     }
     else
-        return token_processors.contains(processor_name) && checkCredentialsAgainstProcessor(*token_processors[processor_name], credentials);
+        return token_processors.contains(processor_name) && checkCredentialsAgainstProcessor(*token_processors[processor_name], const_cast<TokenCredentials &>(credentials));
 
     return false;
 }
diff --git a/src/Access/ExternalAuthenticators.h b/src/Access/ExternalAuthenticators.h
@@ -88,7 +88,7 @@ class ExternalAuthenticators
     mutable UsernameToTokenCache username_to_access_token_cache TSA_GUARDED_BY(mutex) ;
 
     bool checkCredentialsAgainstProcessor(const ITokenProcessor & processor,
-                                          const TokenCredentials & credentials) const TSA_REQUIRES(mutex);
+                                          TokenCredentials & credentials) const TSA_REQUIRES(mutex);
 
     void resetImpl() TSA_REQUIRES(mutex);
 };
diff --git a/src/Access/TokenProcessors.h b/src/Access/TokenProcessors.h
@@ -20,7 +20,7 @@ class ITokenProcessor
     : processor_name(processor_name_), token_cache_lifetime(token_cache_lifetime_), username_claim(username_claim_), groups_claim(groups_claim_) {}
     virtual ~ITokenProcessor() = default;
 
-    virtual bool resolveAndValidate(const TokenCredentials & credentials) const = 0;
+    virtual bool resolveAndValidate(TokenCredentials & credentials) const = 0;
 
     virtual bool checkClaims(const TokenCredentials &, const String &) { return true; }
 
@@ -57,7 +57,7 @@ class StaticKeyJwtProcessor : public ITokenProcessor
                                    const String & public_key_password,
                                    const String & private_key_password);
 
-    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool resolveAndValidate(TokenCredentials & credentials) const override;
     bool checkClaims(const TokenCredentials & credentials, const String & claims_to_check) override;
 
 private:
@@ -95,7 +95,7 @@ class JwksJwtProcessor : public ITokenProcessor
                                                  verifier_leeway_,
                                                  std::make_shared<JWKSClient>(jwks_uri_, jwks_cache_lifetime_)) {}
 
-    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool resolveAndValidate(TokenCredentials & credentials) const override;
     bool checkClaims(const TokenCredentials & credentials, const String & claims_to_check) override;
 
 private:
@@ -116,7 +116,7 @@ class GoogleTokenProcessor : public ITokenProcessor
                          const String & groups_claim_)
             : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_) {}
 
-    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool resolveAndValidate(TokenCredentials & credentials) const override;
 };
 
 class AzureTokenProcessor : public ITokenProcessor
@@ -128,7 +128,7 @@ class AzureTokenProcessor : public ITokenProcessor
                         const String & groups_claim_)
             : ITokenProcessor(processor_name_, token_cache_lifetime_, username_claim_, groups_claim_) {}
 
-    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool resolveAndValidate(TokenCredentials & credentials) const override;
 };
 
 class OpenIdTokenProcessor : public ITokenProcessor
@@ -154,7 +154,7 @@ class OpenIdTokenProcessor : public ITokenProcessor
                          UInt64 verifier_leeway_,
                          UInt64 jwks_cache_lifetime_);
 
-    bool resolveAndValidate(const TokenCredentials & credentials) const override;
+    bool resolveAndValidate(TokenCredentials & credentials) const override;
 private:
     Poco::URI userinfo_endpoint;
     Poco::URI token_introspection_endpoint;
diff --git a/src/Access/TokenProcessorsJWT.cpp b/src/Access/TokenProcessorsJWT.cpp
@@ -280,7 +280,7 @@ bool JwksJwtProcessor::checkClaims(const TokenCredentials & credentials, const S
     return checkUserClaims(credentials, claims_to_check);
 }
 
-bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+bool StaticKeyJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const
 {
     try
     {
@@ -296,10 +296,10 @@ bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credenti
             return false;
         }
             
-        const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
+        credentials.setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
 
         if (decoded_jwt.has_payload_claim(groups_claim))
-            const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
+            credentials.setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
         else
             LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);
         
@@ -312,7 +312,7 @@ bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credenti
     }
 }
 
-bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+bool JwksJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const
 {
     auto decoded_jwt = jwt::decode(credentials.getToken());
 
@@ -383,10 +383,10 @@ bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials)
     if (!claims.empty() && !check_claims(claims, decoded_jwt.get_payload_json()))
         return false;
 
-    const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
+    credentials.setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());
 
     if (decoded_jwt.has_payload_claim(groups_claim))
-        const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
+        credentials.setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
     else
         LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);
 
diff --git a/src/Access/TokenProcessorsOpaque.cpp b/src/Access/TokenProcessorsOpaque.cpp
@@ -89,7 +89,7 @@ namespace
     }
 }
 
-bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+bool GoogleTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const
 {
     const String & token = credentials.getToken();
 
@@ -106,14 +106,11 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
 
     String user_name = user_info[username_claim];
 
-
-    /// Credentials are passed as const everywhere up the flow, so we have to comply,
-    /// in this case const_cast looks acceptable.
-    const_cast<TokenCredentials &>(credentials).setUserName(user_name);
+    credentials.setUserName(user_name);
 
     auto token_info = getObjectFromURI(Poco::URI("https://www.googleapis.com/oauth2/v3/tokeninfo"), token);
     if (token_info.contains("exp"))
-        const_cast<TokenCredentials &>(credentials).setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));
+        credentials.setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));
 
     /// Groups info can only be retrieved if user email is known.
     /// If no email found in user info, we skip this step and there are no external roles for the user.
@@ -152,7 +149,7 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
                 }
             }
 
-            const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+            credentials.setGroups(external_groups_names);
         }
         catch (const Exception & e)
         {
@@ -166,7 +163,7 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
     return true;
 }
 
-bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+bool AzureTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const
 {
     /// Token is a JWT in this case, but we cannot directly verify it against Azure AD JWKS.
     /// We will not trust user data in this token except for 'exp' value to determine caching duration.
@@ -180,12 +177,9 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential
     {
         picojson::object user_info_json = getObjectFromURI(Poco::URI("https://graph.microsoft.com/oidc/userinfo"), token);
         String username = getValueByKey(user_info_json, username_claim).value();
+
         if (!username.empty())
-        {
-            /// Credentials are passed as const everywhere up the flow, so we have to comply,
-            /// in this case const_cast looks acceptable.
-            const_cast<TokenCredentials &>(credentials).setUserName(username);
-        }
+            credentials.setUserName(username);
         else
             LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username with token", processor_name);
 
@@ -197,7 +191,7 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential
 
     try
     {
-        const_cast<TokenCredentials &>(credentials).setExpiresAt(jwt::decode(token).get_expires_at());
+        credentials.setExpiresAt(jwt::decode(token).get_expires_at());
     }
     catch (...) {
         LOG_TRACE(getLogger("TokenAuthentication"),
@@ -250,8 +244,7 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential
         return true;
     }
 
-    const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
-
+    credentials.setGroups(external_groups_names);
     return true;
 }
 
@@ -309,7 +302,7 @@ OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,
     }
 }
 
-bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const
+bool OpenIdTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const
 {
     const String & token = credentials.getToken();
     String username;
@@ -325,7 +318,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
 
             /// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.
             if (decoded_token.has_expires_at())
-                const_cast<TokenCredentials &>(credentials).setExpiresAt(decoded_token.get_expires_at());
+                credentials.setExpiresAt(decoded_token.get_expires_at());
         }
         catch (const std::exception & ex)
         {
@@ -359,9 +352,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         return false;
     }
 
-    /// Credentials are passed as const everywhere up the flow, so we have to comply,
-    /// in this case const_cast is acceptable.
-    const_cast<TokenCredentials &>(credentials).setUserName(username);
+    credentials.setUserName(username);
 
     /// For now, list of groups is expected in a claim with specified name either in token itself or in userinfo response (Keycloak works this way)
     /// TODO: add support for custom endpoints for retrieving groups. Keycloak lists groups in /userinfo and token itself, which is not always the case.
@@ -382,7 +373,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
             if (group.is<std::string>())
                 external_groups_names.insert(group.get<std::string>());
         }
-        const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+        credentials.setGroups(external_groups_names);
     }
 
     return true;

Original file line number	Diff line number	Diff line change
`@@ -602,7 +602,7 @@ HTTPAuthClientParams ExternalAuthenticators::getHTTPAuthenticationParams(const S`
`602`	`602`	`}`
`603`	`603`
`604`	`604`	`bool ExternalAuthenticators::checkCredentialsAgainstProcessor(const ITokenProcessor & processor,`
`605`		`- const TokenCredentials & credentials) const`
	`605`	`+ TokenCredentials & credentials) const`
`606`	`606`	`{`
`607`	`607`	`if (processor.resolveAndValidate(credentials))`
`608`	`608`	`{`
`@@ -675,12 +675,12 @@ bool ExternalAuthenticators::checkTokenCredentials(const TokenCredentials & cred`
`675`	`675`	`{`
`676`	`676`	`for (const auto & it: token_processors)`
`677`	`677`	`{`
`678`		`- if (checkCredentialsAgainstProcessor(*it.second, credentials))`
	`678`	`+ if (checkCredentialsAgainstProcessor(*it.second, const_cast<TokenCredentials &>(credentials)))`
`679`	`679`	`return true;`
`680`	`680`	`}`
`681`	`681`	`}`
`682`	`682`	`else`
`683`		`- return token_processors.contains(processor_name) && checkCredentialsAgainstProcessor(*token_processors[processor_name], credentials);`
	`683`	`+ return token_processors.contains(processor_name) && checkCredentialsAgainstProcessor(*token_processors[processor_name], const_cast<TokenCredentials &>(credentials));`
`684`	`684`
`685`	`685`	`return false;`
`686`	`686`	`}`
Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ bool JwksJwtProcessor::checkClaims(const TokenCredentials & credentials, const S`
`280`	`280`	`return checkUserClaims(credentials, claims_to_check);`
`281`	`281`	`}`
`282`	`282`
`283`		`-bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const`
	`283`	`+bool StaticKeyJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`284`	`284`	`{`
`285`	`285`	`try`
`286`	`286`	`{`
`@@ -296,10 +296,10 @@ bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credenti`
`296`	`296`	`return false;`
`297`	`297`	`}`
`298`	`298`
`299`		`- const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());`
	`299`	`+ credentials.setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());`
`300`	`300`
`301`	`301`	`if (decoded_jwt.has_payload_claim(groups_claim))`
`302`		`- const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));`
	`302`	`+ credentials.setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));`
`303`	`303`	`else`
`304`	`304`	`LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);`
`305`	`305`
`@@ -312,7 +312,7 @@ bool StaticKeyJwtProcessor::resolveAndValidate(const TokenCredentials & credenti`
`312`	`312`	`}`
`313`	`313`	`}`
`314`	`314`
`315`		`-bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials) const`
	`315`	`+bool JwksJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`316`	`316`	`{`
`317`	`317`	`auto decoded_jwt = jwt::decode(credentials.getToken());`
`318`	`318`
`@@ -383,10 +383,10 @@ bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials)`
`383`	`383`	`if (!claims.empty() && !check_claims(claims, decoded_jwt.get_payload_json()))`
`384`	`384`	`return false;`
`385`	`385`
`386`		`- const_cast<TokenCredentials &>(credentials).setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());`
	`386`	`+ credentials.setUserName(decoded_jwt.get_payload_claim(username_claim).as_string());`
`387`	`387`
`388`	`388`	`if (decoded_jwt.has_payload_claim(groups_claim))`
`389`		`- const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));`
	`389`	`+ credentials.setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));`
`390`	`390`	`else`
`391`	`391`	`LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);`
`392`	`392`
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ namespace`
`89`	`89`	`}`
`90`	`90`	`}`
`91`	`91`
`92`		`-bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const`
	`92`	`+bool GoogleTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`93`	`93`	`{`
`94`	`94`	`const String & token = credentials.getToken();`
`95`	`95`
`@@ -106,14 +106,11 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`106`	`106`
`107`	`107`	`String user_name = user_info[username_claim];`
`108`	`108`
`109`		`-`
`110`		`- /// Credentials are passed as const everywhere up the flow, so we have to comply,`
`111`		`- /// in this case const_cast looks acceptable.`
`112`		`- const_cast<TokenCredentials &>(credentials).setUserName(user_name);`
	`109`	`+ credentials.setUserName(user_name);`
`113`	`110`
`114`	`111`	`auto token_info = getObjectFromURI(Poco::URI("https://www.googleapis.com/oauth2/v3/tokeninfo"), token);`
`115`	`112`	`if (token_info.contains("exp"))`
`116`		`- const_cast<TokenCredentials &>(credentials).setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));`
	`113`	`+ credentials.setExpiresAt(std::chrono::system_clock::from_time_t((getValueByKey<time_t>(token_info, "exp").value())));`
`117`	`114`
`118`	`115`	`/// Groups info can only be retrieved if user email is known.`
`119`	`116`	`/// If no email found in user info, we skip this step and there are no external roles for the user.`
`@@ -152,7 +149,7 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`152`	`149`	`}`
`153`	`150`	`}`
`154`	`151`
`155`		`- const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);`
	`152`	`+ credentials.setGroups(external_groups_names);`
`156`	`153`	`}`
`157`	`154`	`catch (const Exception & e)`
`158`	`155`	`{`
`@@ -166,7 +163,7 @@ bool GoogleTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`166`	`163`	`return true;`
`167`	`164`	`}`
`168`	`165`
`169`		`-bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const`
	`166`	`+bool AzureTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`170`	`167`	`{`
`171`	`168`	`/// Token is a JWT in this case, but we cannot directly verify it against Azure AD JWKS.`
`172`	`169`	`/// We will not trust user data in this token except for 'exp' value to determine caching duration.`
`@@ -180,12 +177,9 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential`
`180`	`177`	`{`
`181`	`178`	`picojson::object user_info_json = getObjectFromURI(Poco::URI("https://graph.microsoft.com/oidc/userinfo"), token);`
`182`	`179`	`String username = getValueByKey(user_info_json, username_claim).value();`
	`180`	`+`
`183`	`181`	`if (!username.empty())`
`184`		`- {`
`185`		`- /// Credentials are passed as const everywhere up the flow, so we have to comply,`
`186`		`- /// in this case const_cast looks acceptable.`
`187`		`- const_cast<TokenCredentials &>(credentials).setUserName(username);`
`188`		`- }`
	`182`	`+ credentials.setUserName(username);`
`189`	`183`	`else`
`190`	`184`	`LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username with token", processor_name);`
`191`	`185`
`@@ -197,7 +191,7 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential`
`197`	`191`
`198`	`192`	`try`
`199`	`193`	`{`
`200`		`- const_cast<TokenCredentials &>(credentials).setExpiresAt(jwt::decode(token).get_expires_at());`
	`194`	`+ credentials.setExpiresAt(jwt::decode(token).get_expires_at());`
`201`	`195`	`}`
`202`	`196`	`catch (...) {`
`203`	`197`	`LOG_TRACE(getLogger("TokenAuthentication"),`
`@@ -250,8 +244,7 @@ bool AzureTokenProcessor::resolveAndValidate(const TokenCredentials & credential`
`250`	`244`	`return true;`
`251`	`245`	`}`
`252`	`246`
`253`		`- const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);`
`254`		`-`
	`247`	`+ credentials.setGroups(external_groups_names);`
`255`	`248`	`return true;`
`256`	`249`	`}`
`257`	`250`
`@@ -309,7 +302,7 @@ OpenIdTokenProcessor::OpenIdTokenProcessor(const String & processor_name_,`
`309`	`302`	`}`
`310`	`303`	`}`
`311`	`304`
`312`		`-bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentials) const`
	`305`	`+bool OpenIdTokenProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`313`	`306`	`{`
`314`	`307`	`const String & token = credentials.getToken();`
`315`	`308`	`String username;`
`@@ -325,7 +318,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`325`	`318`
`326`	`319`	`/// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.`
`327`	`320`	`if (decoded_token.has_expires_at())`
`328`		`- const_cast<TokenCredentials &>(credentials).setExpiresAt(decoded_token.get_expires_at());`
	`321`	`+ credentials.setExpiresAt(decoded_token.get_expires_at());`
`329`	`322`	`}`
`330`	`323`	`catch (const std::exception & ex)`
`331`	`324`	`{`
`@@ -359,9 +352,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`359`	`352`	`return false;`
`360`	`353`	`}`
`361`	`354`
`362`		`- /// Credentials are passed as const everywhere up the flow, so we have to comply,`
`363`		`- /// in this case const_cast is acceptable.`
`364`		`- const_cast<TokenCredentials &>(credentials).setUserName(username);`
	`355`	`+ credentials.setUserName(username);`
`365`	`356`
`366`	`357`	`/// For now, list of groups is expected in a claim with specified name either in token itself or in userinfo response (Keycloak works this way)`
`367`	`358`	`/// TODO: add support for custom endpoints for retrieving groups. Keycloak lists groups in /userinfo and token itself, which is not always the case.`
`@@ -382,7 +373,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`382`	`373`	`if (group.is<std::string>())`
`383`	`374`	`external_groups_names.insert(group.get<std::string>());`
`384`	`375`	`}`
`385`		`- const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);`
	`376`	`+ credentials.setGroups(external_groups_names);`
`386`	`377`	`}`
`387`	`378`
`388`	`379`	`return true;`