From 098ab0357c1ee0d34cb1479055f57a38c62ebb04 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Wed, 23 Apr 2025 13:21:51 +0200
Subject: [PATCH] add casbin user test (#2474)

* add casbin user test

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* Delete double slash

* types/users: use join url on iss that are ursl

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: Juan Font <juanfontalonso@gmail.com>
---
 hscontrol/types/users.go      |  6 ++++++
 hscontrol/types/users_test.go | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/hscontrol/types/users.go b/hscontrol/types/users.go
index 93133e4f..96988a0a 100644
--- a/hscontrol/types/users.go
+++ b/hscontrol/types/users.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/mail"
+	"net/url"
 	"strconv"
 	"strings"
 
@@ -194,6 +195,11 @@ type OIDCClaims struct {
 }
 
 func (c *OIDCClaims) Identifier() string {
+	if strings.HasPrefix(c.Iss, "http") {
+		if i, err := url.JoinPath(c.Iss, c.Sub); err == nil {
+			return i
+		}
+	}
 	return c.Iss + "/" + c.Sub
 }
 
diff --git a/hscontrol/types/users_test.go b/hscontrol/types/users_test.go
index e6007077..12029701 100644
--- a/hscontrol/types/users_test.go
+++ b/hscontrol/types/users_test.go
@@ -197,11 +197,42 @@ func TestOIDCClaimsJSONToUser(t *testing.T) {
 				DisplayName: "XXXXXX XXXX",
 				Name:        "user@domain.com",
 				ProviderIdentifier: sql.NullString{
-					String: "https://login.microsoftonline.com//v2.0/I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
+					String: "https://login.microsoftonline.com/v2.0/I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
 					Valid:  true,
 				},
 			},
 		},
+		{
+			// From https://github.com/juanfont/headscale/issues/2333
+			name: "casby-oidc-claim-20250513",
+			jsonstr: `
+			{
+  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "iss": "https://oidc.example.com/",
+  "aud": "xxxxxxxxxxxx",
+  "preferred_username": "user001",
+  "name": "User001",
+  "email": "user001@example.com",
+  "email_verified": true,
+  "picture": "https://cdn.casbin.org/img/casbin.svg",
+  "groups": [
+    "org1/department1",
+    "org1/department2"
+  ]
+}
+			`,
+			want: User{
+				Provider:    util.RegisterMethodOIDC,
+				Name:        "user001",
+				DisplayName: "User001",
+				Email:       "user001@example.com",
+				ProviderIdentifier: sql.NullString{
+					String: "https://oidc.example.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+					Valid:  true,
+				},
+				ProfilePicURL: "https://cdn.casbin.org/img/casbin.svg",
+			},
+		},
 	}
 
 	for _, tt := range tests {