Support For When Single Role is a String from OIDC Token

[k----n]

We are using an OIDC authentication provider that is a non-array string with a single role.

Is this something that the project would be open have as a change?

Happy to submit a PR that will modify the following:

1. The function below
   

   containerproxy/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

   Lines 238 to 275 in 5f0fa2d

   	public static List<String> parseRolesClaim(Logger log, String rolesClaimName, Object claimValue) {
   	if (claimValue == null) {
   	log.debug(String.format("No roles claim with name %s found", rolesClaimName));
   	return new ArrayList<>();
   	} else {
   	log.debug(String.format("Matching claim found: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
   	}
   	if (claimValue instanceof Collection) {
   	List<String> result = new ArrayList<>();
   	for (Object object : ((Collection<?>) claimValue)) {
   	if (object != null) {
   	result.add(object.toString());
   	}
   	}
   	log.debug(String.format("Parsed roles claim as Java Collection: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
   	return result;
   	}
   	if (claimValue instanceof String) {
   	List<String> result = new ArrayList<>();
   	try {
   	Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse((String) claimValue);
   	if (value instanceof List) {
   	List<?> valueList = (List<?>) value;
   	valueList.forEach(o -> result.add(o.toString()));
   	}
   	} catch (ParseException e) {
   	// Unable to parse JSON
   	log.debug(String.format("Unable to parse claim as JSON: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
   	}
   	log.debug(String.format("Parsed roles claim as JSON: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
   	return result;
   	}
   	log.debug(String.format("No parser found for roles claim (unsupported type): %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
   	return new ArrayList<>();
   	}

2. The tests below
   https://github.com/openanalytics/containerproxy/blob/5f0fa2d98d0e0014a1190f85755634a4845ee834/src/test/java/eu/openanalytics/containerproxy/test/unit/TestOpenIdParseClaimRoles.java

[LEDfan]

Hi

I'm not sure if it would be a good idea to add this. The parsing code is already relatively complex with (e.g. to support non-standard JSON). Although the change would be quite easy indeed.

Nevertheless, in the mean time you can use the access-expression feature instead: https://shinyproxy.io/documentation/spel/#access-expression

For example:

access-expression: "#{oidcUser.attributes.test_role == 'my_value'}"

I'll keep this issue open as a feature request so that we can consider it for the next release.