Fix claim extraciton after testing on real auth0 setup

management/server/account.go

@@ -624,22 +624,25 @@ func (a *Account) GetPeer(peerID string) *Peer {
 }
 
 // AddJWTGroups to existed groups if they does not exists
-func (a *Account) AddJWTGroups(groups []string) error {
+func (a *Account) AddJWTGroups(groups []string) (int, error) {
 	existedGroups := make(map[string]*Group)
 	for _, g := range a.Groups {
 		existedGroups[g.Name] = g
 	}
 
+	var count int
 	for _, name := range groups {
 		if _, ok := existedGroups[name]; !ok {
-			a.Groups[name] = &Group{
-				ID:     xid.New().String(),
+			id := xid.New().String()
+			a.Groups[id] = &Group{
+				ID:     id,
 				Name:   name,
 				Issued: GroupIssuedJWT,
 			}
+			count++
 		}
 	}
-	return nil
+	return count, nil
 }
 
 // BuildManager creates a new DefaultAccountManager with a provided Store
@@ -1277,10 +1280,24 @@ func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.Authorizat
 			return account, user, nil
 		}
 		if claim, ok := claims.Raw[account.Settings.JWTGroupsClaimName]; ok {
-			if groups, ok := claim.([]string); ok {
-				if err := account.AddJWTGroups(groups); err != nil {
+			if slice, ok := claim.([]interface{}); ok {
+				var groups []string
+				for _, item := range slice {
+					if g, ok := item.(string); ok {
+						groups = append(groups, g)
+					} else {
+						log.Errorf("JWT claim %q is not a string: %v", account.Settings.JWTGroupsClaimName, item)
+					}
+				}
+				n, err := account.AddJWTGroups(groups)
+				if err != nil {
 					log.Errorf("failed to add JWT groups: %v", err)
 				}
+				if n > 0 {
+					if err := am.Store.SaveAccount(account); err != nil {
+						log.Errorf("failed to save account: %v", err)
+					}
+				}
 			} else {
 				log.Debugf("JWT claim %q is not a string array", account.Settings.JWTGroupsClaimName)
 			}

management/server/account_test.go

@@ -478,7 +478,7 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 		Domain:         domain,
 		UserId:         userId,
 		DomainCategory: "test-category",
-		Raw:            jwt.MapClaims{"idp-groups": []string{"group1", "group2"}},
+		Raw:            jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}},
 	}
 
 	t.Run("JWT groups disabled", func(t *testing.T) {
@@ -507,12 +507,17 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 		require.NoError(t, err, "get account by token failed")
 		require.Len(t, account.Groups, 3, "groups should be added to the account")
 
-		g1, ok := account.Groups["group1"]
+		groupsByNames := map[string]*Group{}
+		for _, g := range account.Groups {
+			groupsByNames[g.Name] = g
+		}
+
+		g1, ok := groupsByNames["group1"]
 		require.True(t, ok, "group1 should be added to the account")
 		require.Equal(t, g1.Name, "group1", "group1 name should match")
 		require.Equal(t, g1.Issued, GroupIssuedJWT, "group1 issued should match")
 
-		g2, ok := account.Groups["group2"]
+		g2, ok := groupsByNames["group2"]
 		require.True(t, ok, "group2 should be added to the account")
 		require.Equal(t, g2.Name, "group2", "group2 name should match")
 		require.Equal(t, g2.Issued, GroupIssuedJWT, "group2 issued should match")