# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1685637179 -7200
# Node ID 7d9dce4e7dd0161b831578b07c32c401dfccb4cc
# Parent  320593cf7d90c9a15b311f4a78e83166c840fb80
mod_groups_oidc: Expose groups to OAuth clients

diff -r 320593cf7d90 -r 7d9dce4e7dd0 mod_groups_oidc/README.md
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_groups_oidc/README.md	Thu Jun 01 18:32:59 2023 +0200
@@ -0,0 +1,11 @@
+---
+summary: OIDC group membership in UserInfo
+labels:
+- Stage-Alpha
+rockspec:
+  dependencies:
+  - mod_http_oauth2 >= 200
+---
+
+This module exposes [mod_groups_internal] groups to
+[OAuth 2.0][mod_http_oauth2] clients via a `groups` scope/claim.
diff -r 320593cf7d90 -r 7d9dce4e7dd0 mod_groups_oidc/mod_groups_oidc.lua
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_groups_oidc/mod_groups_oidc.lua	Thu Jun 01 18:32:59 2023 +0200
@@ -0,0 +1,15 @@
+local array = require "util.array";
+
+module:add_item("openid-claim", "groups");
+
+local group_memberships = module:open_store("groups", "map");
+local function user_groups(username)
+	return pairs(group_memberships:get_all(username) or {});
+end
+
+module:hook("token/userinfo", function(event)
+	local userinfo = event.userinfo;
+	if event.claims:contains("groups") then
+		userinfo.groups = array(user_groups(event.username));
+	end
+end);