feat: split scope groups and role claims (#529)

IvanJosipovic · web-flow · commit 10c4390cc16a · 2025-10-15T10:24:39.000-07:00
diff --git a/src/oidc-guard/Program.cs b/src/oidc-guard/Program.cs
@@ -249,6 +249,8 @@ public static void Main(string[] args)
 
         builder.Services.Configure<ForwardedHeadersOptions>(options => options.ForwardedHeaders = ForwardedHeaders.All);
 
+        builder.Services.AddTransient<IClaimsTransformation, ClaimSplitter>();
+
         builder.Services.AddHostedService<HostedService>();
 
         var app = builder.Build();
diff --git a/src/oidc-guard/Services/ClaimSplitter.cs b/src/oidc-guard/Services/ClaimSplitter.cs
@@ -0,0 +1,40 @@
+﻿using Microsoft.AspNetCore.Authentication;
+using System.Security.Claims;
+
+namespace oidc_guard.Services;
+
+public class ClaimSplitter : IClaimsTransformation
+{
+    private static readonly string[] SplitClaimTypes = ["scope", "groups", "role"];
+
+    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
+    {
+        var identities = new List<ClaimsIdentity>();
+
+        foreach (var id in principal.Identities)
+        {
+            var identity = new ClaimsIdentity(id.AuthenticationType, id.NameClaimType, id.RoleClaimType);
+
+            foreach (var claim in id.Claims)
+            {
+                if (SplitClaimTypes.Contains(claim.Type) && claim.Value.Contains(' '))
+                {
+                    var values = claim.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries);
+
+                    foreach (var value in values)
+                    {
+                        identity.AddClaim(new Claim(claim.Type, value, claim.ValueType, claim.Issuer));
+                    }
+
+                    continue;
+                }
+
+                identity.AddClaim(claim);
+            }
+
+            identities.Add(identity);
+        }
+
+        return Task.FromResult(new ClaimsPrincipal(identities));
+    }
+}
diff --git a/tests/oidc-guard-tests/AuthTests.cs b/tests/oidc-guard-tests/AuthTests.cs
@@ -182,6 +182,90 @@ public static IEnumerable<object[]> GetArrayTests()
                 },
                 HttpStatusCode.Forbidden
             },
+
+            new object[]
+            {
+                "?scope=admin",
+                new List<Claim>
+                {
+                    new Claim("scope", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?scope=admin&scope=editor",
+                new List<Claim>
+                {
+                    new Claim("scope", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?scope=admin&scope=editor&scope=viewer",
+                new List<Claim>
+                {
+                    new Claim("scope", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+
+            new object[]
+            {
+                "?groups=admin",
+                new List<Claim>
+                {
+                    new Claim("groups", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?groups=admin&groups=editor",
+                new List<Claim>
+                {
+                    new Claim("groups", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?groups=admin&groups=editor&groups=viewer",
+                new List<Claim>
+                {
+                    new Claim("groups", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+
+            new object[]
+            {
+                "?role=admin",
+                new List<Claim>
+                {
+                    new Claim("role", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?role=admin&role=editor",
+                new List<Claim>
+                {
+                    new Claim("role", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
+            new object[]
+            {
+                "?role=admin&role=editor&role=viewer",
+                new List<Claim>
+                {
+                    new Claim("role", "admin editor viewer")
+                },
+                HttpStatusCode.OK
+            },
         ];
     }
 
@@ -267,6 +351,22 @@ public static IEnumerable<object[]> GetInjectClaimsTests()
                 }
             },
 
+            new object[]
+            {
+                "?tid=11111111-1111-1111-1111-111111111111&inject-claim=groups",
+                new List<Claim>
+                {
+                    new("tid", "11111111-1111-1111-1111-111111111111"),
+                    new("aud", "22222222-2222-2222-2222-222222222222"),
+                    new("groups", "admin editor viewer"),
+                },
+                HttpStatusCode.OK,
+                new List<KeyValuePair<string,string>>
+                {
+                    new("groups", "admin, editor, viewer"),
+                }
+            },
+
             new object[]
             {
                 "?tid=11111111-1111-1111-1111-111111111111&inject-claim=group",
