From 335db844a350a0f4fca775cfd13e45801c974bf8 Mon Sep 17 00:00:00 2001
From: jrlost <jrlost@gmail.com>
Date: Thu, 21 Apr 2022 12:43:18 -0500
Subject: [PATCH] RBAC updates to support aggregated role bindings (#870)

* RBAC updates to support aggregated role bindings when using the OidcRoleMapping with an external identity provider.

* Fixed braces to match existing styling.

* Simplified role mapping predicate.

Co-authored-by: John Fredrickson <john.fredrickson@arinet.com>
---
 .../src/Squidex/Config/Authentication/OidcHandler.cs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/src/Squidex/Config/Authentication/OidcHandler.cs b/backend/src/Squidex/Config/Authentication/OidcHandler.cs
index 19ba1bfab..af835fe78 100644
--- a/backend/src/Squidex/Config/Authentication/OidcHandler.cs
+++ b/backend/src/Squidex/Config/Authentication/OidcHandler.cs
@@ -26,14 +26,14 @@ namespace Squidex.Config.Authentication
 
             if (!string.IsNullOrWhiteSpace(options.OidcRoleClaimType) && options.OidcRoleMapping?.Count >= 0)
             {
-                var role = identity.FindFirst(x => x.Type == options.OidcRoleClaimType)?.Value;
+                var permissions = options.OidcRoleMapping
+                    .Where(r => identity.HasClaim(options.OidcRoleClaimType, r.Key))
+                    .SelectMany(r => r.Value)
+                    .Distinct();
 
-                if (!string.IsNullOrWhiteSpace(role) && options.OidcRoleMapping.TryGetValue(role, out var permissions) && permissions != null)
+                foreach (var permission in permissions)
                 {
-                    foreach (var permission in permissions)
-                    {
-                        identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
-                    }
+                    identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
                 }
             }