From 8e4776ada16bb94ecf3381fe7ef2653426a25453 Mon Sep 17 00:00:00 2001
From: "Willnow, Patrick" <patrick.willnow@th-luebeck.de>
Date: Thu, 3 Oct 2024 23:25:00 +0200
Subject: [PATCH] add handling nested claims...

---
 backend/open_webui/main.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index 89aed7fcb..6b601d446 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -2251,7 +2251,16 @@ async def oauth_callback(provider: str, request: Request, response: Response):
         if Users.get_num_users() == 1:
             role = "admin"
         elif webui_app.state.config.ENABLE_OAUTH_ROLE_MAPPING:
-            oauth_roles = user_data.get(webui_app.state.config.OAUTH_ROLES_CLAIM)
+            oauth_claim = webui_app.state.config.OAUTH_ROLES_CLAIM
+            oauth_roles = user_data.get(oauth_claim) # Works for simple claims with no nesting
+            if "." in oauth_claim:
+                # Implementation to handle nested claims of arbitrary depth
+                nested_claims = oauth_claim.split(".")
+                claim_data = user_data.get(nested_claims[0])
+                for nested_claim in nested_claims[1:]:
+                    claim_data = claim_data.get(nested_claim)
+                oauth_roles = claim_data
+
             log.info(f"User {user.name} has OAuth roles: {oauth_roles}")
             if oauth_roles:
                 for allowed_role in ["pending", "user", "admin"]: