From 96788d5487bc0cb2dc3bf2dadb12111c2388b833 Mon Sep 17 00:00:00 2001
From: Didier 'OdyX' Raboud <didier.raboud@liip.ch>
Date: Wed, 28 Aug 2024 16:05:19 +0200
Subject: [PATCH] [IMP] auth_oidc: Add _auth_oauth_signing to (un)link from
 groups

Thanks to https://github.com/OCA/server-auth/pull/372/commits/4204bd8df1d8a13f996d3c735c072d4da84450b5

@hbrunn & @26hpredraglazarevic
---
 auth_oidc/models/res_users.py | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 1684480fa4..b19693901e 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -8,6 +8,7 @@
 
 from odoo import api, models
 from odoo.exceptions import AccessDenied
+from odoo.fields import Command
 from odoo.http import request
 
 _logger = logging.getLogger(__name__)
@@ -44,6 +45,41 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
         # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
         return response_json.get("access_token"), response_json.get("id_token")
 
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        """
+        retrieve and sign in the user corresponding to provider and validated
+        access token
+
+        :param provider: oauth provider id (int)
+        :param validation: result of validation of access token (dict)
+        :param params: oauth parameters (dict)
+        :return: user login (str)
+        :raise: AccessDenied if signin failed
+        """
+        login = super()._auth_oauth_signin(provider, validation, params)
+        user = self.search([("login", "=", login)])
+        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
+        # Assume the groups are exclusively managed via OAuth 'groups'
+        if user and oauth_provider.groups_field in validation:
+            group_updates = []
+            for group_line in oauth_provider.group_line_ids:
+                if group_line.oauth_group_name in validation.get(
+                    oauth_provider.groups_field
+                ):
+                    _logger.debug(
+                        f"Add user {user.id} to the group {group_line.group_id.id}"
+                    )
+                    group_updates.append((Command.LINK, group_line.group_id.id))
+                else:
+                    _logger.debug(
+                        f"Remove user {user.id} from the group {group_line.group_id.id}"
+                    )
+                    group_updates.append((Command.UNLINK, group_line.group_id.id))
+            if group_updates:
+                user.write({"groups_id": group_updates})
+        return login
+
     @api.model
     def auth_oauth(self, provider, params):
         oauth_provider = self.env["auth.oauth.provider"].browse(provider)