Merge branch '209975-oidc-claim-group-level' into 'master'

Provide group membership level in OIDC claim

See merge request gitlab-org/gitlab!27264

changelogs/unreleased/209975-oidc-claim-group-level.yml

+---
+title: Provide group membership level in OIDC claim
+merge_request: 27264
+author: Bastian Blank
+type: added

config/initializers/doorkeeper_openid_connect.rb

@@ -59,6 +59,15 @@ Doorkeeper::OpenidConnect.configure do
       o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
       o.claim(:groups)         { |user| user.membership_groups.joins(:route).with_route.map(&:full_path) }
       o.claim(:groups_direct, response: [:id_token]) { |user| user.groups.joins(:route).with_route.map(&:full_path) }
+      o.claim('https://gitlab.org/claims/groups/owner') do |user|
+        user.owned_groups.joins(:route).with_route.map(&:full_path).presence
+      end
+      o.claim('https://gitlab.org/claims/groups/maintainer') do |user|
+        user.maintainers_groups.joins(:route).with_route.map(&:full_path).presence
+      end
+      o.claim('https://gitlab.org/claims/groups/developer') do |user|
+        user.developer_groups.joins(:route).with_route.map(&:full_path).presence
+      end
     end
   end
 end

doc/integration/openid_connect_provider.md

@@ -51,5 +51,8 @@ The following user information is shared with clients:
 | `picture`        | `string`  | URL for the user's GitLab avatar
 | `groups`         | `array`   | Paths for the groups the user is a member of, either directly or through an ancestor group.
 | `groups_direct`  | `array`   | Paths for the groups the user is a direct member of.
+| `https://gitlab.org/claims/groups/owner`      | `array`   | Names of the groups the user is a direct member of with Owner role
+| `https://gitlab.org/claims/groups/maintainer` | `array`   | Names of the groups the user is a direct member of with Maintainer role
+| `https://gitlab.org/claims/groups/developer`  | `array`   | Names of the groups the user is a direct member of with Developer role
 
 The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.

spec/requests/openid_connect_spec.rb

@@ -37,7 +37,10 @@ RSpec.describe 'OpenID Connect requests' do
       'website'        => 'https://example.com',
       'profile'        => 'http://localhost/alice',
       'picture'        => "http://localhost/uploads/-/system/user/avatar/#{user.id}/dk.png",
-      'groups'         => kind_of(Array)
+      'groups'         => kind_of(Array),
+      'https://gitlab.org/claims/groups/owner'      => kind_of(Array),
+      'https://gitlab.org/claims/groups/maintainer' => kind_of(Array),
+      'https://gitlab.org/claims/groups/developer'  => kind_of(Array)
     }
   end
 
@@ -119,6 +122,7 @@ RSpec.describe 'OpenID Connect requests' do
       before do
         group1.add_user(user, GroupMember::OWNER)
         group3.add_user(user, Gitlab::Access::DEVELOPER)
+        group4.add_user(user, Gitlab::Access::MAINTAINER)
 
         request_user_info!
       end
@@ -129,6 +133,10 @@ RSpec.describe 'OpenID Connect requests' do
         expected_groups = [group1.full_path, group3.full_path]
         expected_groups << group4.full_path
         expect(json_response['groups']).to match_array(expected_groups)
+
+        expect(json_response['https://gitlab.org/claims/groups/owner']).to match_array([group1.full_path])
+        expect(json_response['https://gitlab.org/claims/groups/maintainer']).to match_array([group4.full_path])
+        expect(json_response['https://gitlab.org/claims/groups/developer']).to match_array([group3.full_path])
       end
 
       it 'does not include any unknown claims' do