add SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS and default to false

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py

@@ -88,6 +88,10 @@ SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS = environ.get(
     "SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"
 )
 
+SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS = (
+    environ.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", default="false") == "true"
+)
+
 SPIFFWORKFLOW_BACKEND_AUTHENTICATION_DISABLED = (
     environ.get("SPIFFWORKFLOW_BACKEND_AUTHENTICATION_DISABLED", default="false") == "true"
 )

spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py

@@ -435,6 +435,8 @@ class AuthorizationService:
         user_attributes["service_id"] = user_info["sub"]
 
         desired_group_identifiers = None
+
+        if current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS"]:
             if "groups" in user_info:
                 desired_group_identifiers = user_info["groups"]
 

spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_authentication.py

@@ -29,6 +29,7 @@ class TestAuthentication(BaseTest):
         client: FlaskClient,
         with_db_and_bpmn_file_cleanup: None,
     ) -> None:
+        with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", True):
             user = self.find_or_create_user("testing@e.com")
             user.email = "testing@e.com"
             user.service = app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL"]
@@ -44,6 +45,7 @@ class TestAuthentication(BaseTest):
                     "exp": round(time.time()) + 1000,
                 }
             )
+            response = None
             response = client.post(
                 f"/v1.0/login_with_access_token?access_token={access_token}",
             )