diff --git a/authorize/evaluator/headers_evaluator_evaluation.go b/authorize/evaluator/headers_evaluator_evaluation.go index 1b22f6f89..82f39151c 100644 --- a/authorize/evaluator/headers_evaluator_evaluation.go +++ b/authorize/evaluator/headers_evaluator_evaluation.go @@ -312,6 +312,17 @@ func (e *headersEvaluatorEvaluation) getJWTPayloadEmail(ctx context.Context) str } func (e *headersEvaluatorEvaluation) getJWTPayloadGroups(ctx context.Context) []string { + groups := e.getGroups(ctx) + if groups == nil { + // If there are no groups, marshal this claim as an empty list rather than a JSON null, + // for better compatibility with third-party libraries. + // See https://github.com/pomerium/pomerium/issues/5393 for one example. + groups = []string{} + } + return groups +} + +func (e *headersEvaluatorEvaluation) getGroups(ctx context.Context) []string { groupIDs := e.getGroupIDs(ctx) if len(groupIDs) > 0 { groupIDs = e.filterGroups(groupIDs) @@ -323,12 +334,6 @@ func (e *headersEvaluatorEvaluation) getJWTPayloadGroups(ctx context.Context) [] s, _ := e.getSessionOrServiceAccount(ctx) groups, _ := getClaimStringSlice(s, "groups") - if groups == nil { - // If there are no groups, marshal this claim as an empty list rather than a JSON null, - // for better compatibility with third-party libraries. - // See https://github.com/pomerium/pomerium/issues/5393 for one example. - groups = []string{} - } return groups } diff --git a/authorize/evaluator/headers_evaluator_test.go b/authorize/evaluator/headers_evaluator_test.go index 89344bf67..ee9f20fad 100644 --- a/authorize/evaluator/headers_evaluator_test.go +++ b/authorize/evaluator/headers_evaluator_test.go @@ -498,14 +498,15 @@ func TestHeadersEvaluator_JWTGroupsFilter(t *testing.T) { sessionID string expected []any }{ - {"global filter 1", []string{"42", "1", "GROUP-12"}, nil, "SESSION-1", []any{"1", "42", "GROUP-12"}}, - {"global filter 2", []string{"42", "1", "GROUP-12"}, nil, "SESSION-2", []any{"42", "GROUP-12"}}, - {"route filter 1", nil, []string{"42", "1", "GROUP-12"}, "SESSION-1", []any{"1", "42", "GROUP-12"}}, - {"route filter 2", nil, []string{"42", "1", "GROUP-12"}, "SESSION-2", []any{"42", "GROUP-12"}}, - {"both filters 1", []string{"1"}, []string{"42", "GROUP-12"}, "SESSION-1", []any{"1", "42", "GROUP-12"}}, - {"both filters 2", []string{"1"}, []string{"42", "GROUP-12"}, "SESSION-2", []any{"42", "GROUP-12"}}, - {"overlapping", []string{"1"}, []string{"1"}, "SESSION-1", []any{"1"}}, - {"empty route filter", []string{"1", "2", "3"}, []string{}, "SESSION-1", []any{"1", "2", "3"}}, + {"global filter 1", []string{"42", "1"}, nil, "SESSION-1", []any{"1", "42", "GROUP-1", "GROUP-42"}}, + {"global filter 2", []string{"42", "1"}, nil, "SESSION-2", []any{"42", "GROUP-42"}}, + {"route filter 1", nil, []string{"42", "1"}, "SESSION-1", []any{"1", "42", "GROUP-1", "GROUP-42"}}, + {"route filter 2", nil, []string{"42", "1"}, "SESSION-2", []any{"42", "GROUP-42"}}, + {"both filters 1", []string{"1"}, []string{"42"}, "SESSION-1", []any{"1", "42", "GROUP-1", "GROUP-42"}}, + {"both filters 2", []string{"1"}, []string{"42"}, "SESSION-2", []any{"42", "GROUP-42"}}, + {"cannot filter by name", []string{"GROUP-1"}, nil, "SESSION-1", []any{}}, + {"overlapping", []string{"1"}, []string{"1"}, "SESSION-1", []any{"1", "GROUP-1"}}, + {"empty route filter", []string{"1", "2", "3"}, []string{}, "SESSION-1", []any{"1", "2", "3", "GROUP-1", "GROUP-2", "GROUP-3"}}, { "no filtering", nil, nil, "SESSION-10", []any{"10", "20", "30", "40", "50", "GROUP-10", "GROUP-20", "GROUP-30", "GROUP-40", "GROUP-50"},