From 642ba174d42cc8d1385185007ae8c597f1f4d54d Mon Sep 17 00:00:00 2001
From: rd-danny-fleer <167874449+rd-danny-fleer@users.noreply.github.com>
Date: Mon, 7 Oct 2024 20:08:44 +0200
Subject: [PATCH] fix: unable to use hyphen in JSON path for oidc-groups-claim
 option (#2619)

---
 CHANGELOG.md                               |  1 +
 pkg/providers/util/claim_extractor.go      |  8 +++-----
 pkg/providers/util/claim_extractor_test.go | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1a61dde..ee00fd2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 ## Changes since v7.7.0
 
 - [#2803](https://github.com/oauth2-proxy/oauth2-proxy/pull/2803) fix: self signed certificate handling in v7.7.0 (@tuunit)
+- [#2619](https://github.com/oauth2-proxy/oauth2-proxy/pull/2619) fix: unable to use hyphen in JSON path for oidc-groups-claim option (@rd-danny-fleer)
 
 # V7.7.0
 
diff --git a/pkg/providers/util/claim_extractor.go b/pkg/providers/util/claim_extractor.go
index 969fe09..ec2fac9 100644
--- a/pkg/providers/util/claim_extractor.go
+++ b/pkg/providers/util/claim_extractor.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/bitly/go-simplejson"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
-	"github.com/ohler55/ojg/jp"
 	"github.com/spf13/cast"
 )
 
@@ -140,12 +139,11 @@ func parseJWT(p string) ([]byte, error) {
 }
 
 // getClaimFrom gets a claim from a Json object.
-// It can accept either a single claim name or a json path if the path is a valid json path.
+// It can accept either a single claim name or a json path. The claim is always evaluated first as a single claim name.
 // Paths with indexes are not supported.
 func getClaimFrom(claim string, src *simplejson.Json) interface{} {
-	_, err := jp.ParseString(claim)
-	if err != nil {
-		return src.Get(claim).Interface()
+	if value, ok := src.CheckGet(claim); ok {
+		return value.Interface()
 	}
 	claimParts := strings.Split(claim, ".")
 	return src.GetPath(claimParts...).Interface()
diff --git a/pkg/providers/util/claim_extractor_test.go b/pkg/providers/util/claim_extractor_test.go
index be4f672..b6d0b51 100644
--- a/pkg/providers/util/claim_extractor_test.go
+++ b/pkg/providers/util/claim_extractor_test.go
@@ -25,6 +25,12 @@ const (
         "idTokenGroup1",
         "idTokenGroup2"
       ],
+	  "nested-groups-claim-containing-hyphen": {
+			"groups": [
+				"nestedClaimContainingHypenGroup1",
+				"nestedClaimContainingHypenGroup2"
+			]
+	  },
       "https://groups.test": [
         "fqdnGroup1",
         "fqdnGroup2"
@@ -239,6 +245,18 @@ var _ = Describe("Claim Extractor Suite", func() {
 				expectedValue: []interface{}{"fqdnGroup1", "fqdnGroup2"},
 				expectedError: nil,
 			}),
+			Entry("retrieves claim with nested groups claim containing hyphen", getClaimTableInput{
+				testClaimExtractorOpts: testClaimExtractorOpts{
+					idTokenPayload:        basicIDTokenPayload,
+					setProfileURL:         true,
+					profileRequestHeaders: newAuthorizedHeader(),
+					profileRequestHandler: shouldNotBeRequestedProfileHandler,
+				},
+				claim:         "nested-groups-claim-containing-hyphen.groups",
+				expectExists:  true,
+				expectedValue: []interface{}{"nestedClaimContainingHypenGroup1", "nestedClaimContainingHypenGroup2"},
+				expectedError: nil,
+			}),
 		)
 	})