fix: Remove early returns in claims transformation will allow it chec…

…k all flags
NikiforovAll · May 9, 2024 · 88a5895 · 88a5895
1 parent 056e649
commit 88a5895
Showing 1 changed file with 45 additions and 51 deletions.
diff --git a/src/Keycloak.AuthServices.Authorization/Claims/KeycloakRolesClaimsTransformation.cs b/src/Keycloak.AuthServices.Authorization/Claims/KeycloakRolesClaimsTransformation.cs
@@ -73,73 +73,67 @@ public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
         if (this.roleSource.HasFlag(RolesClaimTransformationSource.ResourceAccess))
         {
             var resourceAccessValue = principal.FindFirst("resource_access")?.Value;
-            if (string.IsNullOrWhiteSpace(resourceAccessValue))
+            if (!string.IsNullOrWhiteSpace(resourceAccessValue))
             {
-                return Task.FromResult(result);
-            }
-
-            using var resourceAccess = JsonDocument.Parse(resourceAccessValue);
-            var containsAudienceRoles = resourceAccess.RootElement.TryGetProperty(
-                this.audience,
-                out var rolesElement
-            );
-
-            if (!containsAudienceRoles)
-            {
-                return Task.FromResult(result);
-            }
-
-            var clientRoles = rolesElement.GetProperty("roles");
-
-            foreach (var role in clientRoles.EnumerateArray())
-            {
-                var value = role.GetString();
-
-                var matchingClaim = identity.Claims.FirstOrDefault(claim =>
-                    claim.Type.Equals(
-                        this.roleClaimType,
-                        StringComparison.InvariantCultureIgnoreCase
-                    ) && claim.Value.Equals(value, StringComparison.InvariantCultureIgnoreCase)
+                using var resourceAccess = JsonDocument.Parse(resourceAccessValue);
+                var containsAudienceRoles = resourceAccess.RootElement.TryGetProperty(
+                    this.audience,
+                    out var rolesElement
                 );
 
-                if (matchingClaim is null && !string.IsNullOrWhiteSpace(value))
+                if (containsAudienceRoles)
                 {
-                    identity.AddClaim(new Claim(this.roleClaimType, value));
+                    var clientRoles = rolesElement.GetProperty("roles");
+
+                    foreach (var role in clientRoles.EnumerateArray())
+                    {
+                        var value = role.GetString();
+
+                        var matchingClaim = identity.Claims.FirstOrDefault(claim =>
+                            claim.Type.Equals(
+                                this.roleClaimType,
+                                StringComparison.InvariantCultureIgnoreCase
+                            ) && claim.Value.Equals(value, StringComparison.InvariantCultureIgnoreCase)
+                        );
+
+                        if (matchingClaim is null && !string.IsNullOrWhiteSpace(value))
+                        {
+                            identity.AddClaim(new Claim(this.roleClaimType, value));
+                        }
+                    }
                 }
             }
         }
 
         if (this.roleSource.HasFlag(RolesClaimTransformationSource.Realm))
         {
             var realmAccessValue = principal.FindFirst("realm_access")?.Value;
-            if (string.IsNullOrWhiteSpace(realmAccessValue))
+            if (!string.IsNullOrWhiteSpace(realmAccessValue))
             {
-                return Task.FromResult(result);
-            }
-
-            using var realmAccess = JsonDocument.Parse(realmAccessValue);
+                using var realmAccess = JsonDocument.Parse(realmAccessValue);
 
-            var containsRoles = realmAccess.RootElement.TryGetProperty(
-                "roles",
-                out var rolesElement
-            );
+                var containsRoles = realmAccess.RootElement.TryGetProperty(
+                    "roles",
+                    out var rolesElement
+                );
 
-            if (containsRoles)
-            {
-                foreach (var role in rolesElement.EnumerateArray())
+                if (containsRoles)
                 {
-                    var value = role.GetString();
-
-                    var matchingClaim = identity.Claims.FirstOrDefault(claim =>
-                        claim.Type.Equals(
-                            this.roleClaimType,
-                            StringComparison.InvariantCultureIgnoreCase
-                        ) && claim.Value.Equals(value, StringComparison.InvariantCultureIgnoreCase)
-                    );
-
-                    if (matchingClaim is null && !string.IsNullOrWhiteSpace(value))
+                    foreach (var role in rolesElement.EnumerateArray())
                     {
-                        identity.AddClaim(new Claim(this.roleClaimType, value));
+                        var value = role.GetString();
+
+                        var matchingClaim = identity.Claims.FirstOrDefault(claim =>
+                            claim.Type.Equals(
+                                this.roleClaimType,
+                                StringComparison.InvariantCultureIgnoreCase
+                            ) && claim.Value.Equals(value, StringComparison.InvariantCultureIgnoreCase)
+                        );
+
+                        if (matchingClaim is null && !string.IsNullOrWhiteSpace(value))
+                        {
+                            identity.AddClaim(new Claim(this.roleClaimType, value));
+                        }
                     }
                 }
             }