Skip to content

Commit

Permalink
for id tokens with group scope always use full arns (#2157)
Browse files Browse the repository at this point in the history
  • Loading branch information
@havetisyan
havetisyan authored May 2, 2023
1 parent 4fb424f commit d96edd4
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
2 changes: 1 addition & 1 deletion servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2012,7 +2012,7 @@ public Response getOIDCResponse(ResourceContext ctx, String responseType, String
List<String> idTokenGroups = null;
if (tokenRequest.isGroupsScope()) {

idTokenGroups = processIdTokenGroups(principalName, tokenRequest, domainName, fullArn,
idTokenGroups = processIdTokenGroups(principalName, tokenRequest, domainName, true,
principalDomain, caller);

} else if (tokenRequest.isRolesScope()) {
Expand Down
6 changes: 3 additions & 3 deletions servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13488,8 +13488,8 @@ public void testGetOIDCResponseGroups() {
List<String> userGroups = (List<String>) claims.getBody().get("groups");
assertNotNull(userGroups);
assertEquals(userGroups.size(), 2);
assertTrue(userGroups.contains("dev-team"));
assertTrue(userGroups.contains("pe-team"));
assertTrue(userGroups.contains("coretech:group.dev-team"));
assertTrue(userGroups.contains("coretech:group.pe-team"));

// get only one of the groups and include state

Expand All @@ -13516,7 +13516,7 @@ public void testGetOIDCResponseGroups() {
userGroups = (List<String>) claims.getBody().get("groups");
assertNotNull(userGroups);
assertEquals(userGroups.size(), 1);
assertTrue(userGroups.contains("dev-team"));
assertTrue(userGroups.contains("coretech:group.dev-team"));

// requesting a group that the user is not part of

Expand Down

0 comments on commit d96edd4

Please sign in to comment.