From 7fc6d93b8cf4226d26e18d9237e1471ad0ae5659 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Fri, 24 Jan 2025 14:05:14 -0800
Subject: [PATCH] revert filtering IdP groups claim groups

---
 authorize/evaluator/headers_evaluator_evaluation.go | 1 -
 authorize/evaluator/headers_evaluator_test.go       | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/authorize/evaluator/headers_evaluator_evaluation.go b/authorize/evaluator/headers_evaluator_evaluation.go
index cc7d1b6a9..82f39151c 100644
--- a/authorize/evaluator/headers_evaluator_evaluation.go
+++ b/authorize/evaluator/headers_evaluator_evaluation.go
@@ -334,7 +334,6 @@ func (e *headersEvaluatorEvaluation) getGroups(ctx context.Context) []string {
 
 	s, _ := e.getSessionOrServiceAccount(ctx)
 	groups, _ := getClaimStringSlice(s, "groups")
-	groups = e.filterGroups(groups)
 	return groups
 }
 
diff --git a/authorize/evaluator/headers_evaluator_test.go b/authorize/evaluator/headers_evaluator_test.go
index 918cf94e9..470334f2a 100644
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@@ -517,7 +517,8 @@ func TestHeadersEvaluator_JWTGroupsFilter(t *testing.T) {
 			"no filtering", nil, nil, "SESSION-10",
 			[]any{"10", "20", "30", "40", "50", "GROUP-10", "GROUP-20", "GROUP-30", "GROUP-40", "GROUP-50"},
 		},
-		{"groups claim", []string{"foo", "quux"}, nil, "SESSION-11", []any{"foo"}},
+		// filtering has no effect on groups from an IdP "groups" claim
+		{"groups claim", []string{"foo", "quux"}, nil, "SESSION-11", []any{"foo", "bar", "baz"}},
 	}
 
 	ctx := storage.WithQuerier(context.Background(), storage.NewStaticQuerier(records...))