From 1436e631a5b26e3cde59801141a774345cab492b Mon Sep 17 00:00:00 2001
From: Paul Astbury-Thomas <slalFe@outlook.com>
Date: Wed, 25 Jan 2023 15:55:35 +0000
Subject: [PATCH] Update permissions on external-callback login (#964)

* Update permissions on external-callback login

- Previously users that already existed would not have their permissions updated in Squidex

* Added configuration option to toggle new behaviour

- oidcOverridePermissionsWithCustomClaimsOnLogin defaults to false to not impact existing implementations
- Removed invalid old and new claims comparison to instead rely on existing code in UserManagerExtensions.SyncClaims method
---
 .../Controllers/Account/AccountController.cs           | 10 ++++++++++
 backend/src/Squidex/Config/MyIdentityOptions.cs        |  2 ++
 backend/src/Squidex/appsettings.json                   |  1 +
 3 files changed, 13 insertions(+)

diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
index aca33f5e2..d100a5128 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@@ -240,6 +240,16 @@ public sealed class AccountController : IdentityServerController
         if (isLoggedIn)
         {
             user = await userService.FindByLoginAsync(login.LoginProvider, login.ProviderKey, HttpContext.RequestAborted);
+
+            if (user != null && identityOptions.OidcOverridePermissionsWithCustomClaimsOnLogin)
+            {
+                var values = new UserValues
+                {
+                    CustomClaims = login.Principal.Claims.GetSquidexClaims().ToList()
+                };
+
+                user = await userService.UpdateAsync(user.Id, values, false, HttpContext.RequestAborted);
+            }
         }
         else
         {
diff --git a/backend/src/Squidex/Config/MyIdentityOptions.cs b/backend/src/Squidex/Config/MyIdentityOptions.cs
index c91ac29de..148e284dc 100644
--- a/backend/src/Squidex/Config/MyIdentityOptions.cs
+++ b/backend/src/Squidex/Config/MyIdentityOptions.cs
@@ -59,6 +59,8 @@ public sealed class MyIdentityOptions
 
     public bool OidcGetClaimsFromUserInfoEndpoint { get; set; }
 
+    public bool OidcOverridePermissionsWithCustomClaimsOnLogin { get; set; }
+
     public bool AdminRecreate { get; set; }
 
     public bool AllowPasswordAuth { get; set; }
diff --git a/backend/src/Squidex/appsettings.json b/backend/src/Squidex/appsettings.json
index 89633af36..281dff641 100644
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@@ -599,6 +599,7 @@
         ],
         "oidcResponseType": "id_token", // or "code"
         "oidcGetClaimsFromUserInfoEndpoint": false,
+        "oidcOverridePermissionsWithCustomClaimsOnLogin": false,
         "oidcOnSignoutRedirectUrl": "",
 
         // Lock new users automatically, the administrator must unlock them.