Allow adding roles in \Drupal\openid_connect\OpenIDConnect::createUser using userinfo

The problem with this approach is, that roles are not default OpenID Connect claims provided by all potential IdPs that come into use with the openid_connect module. It would work with your very special IdP only, if done like this.

Once again, I suggest using hook_openid_connect_userinfo_save(). It provides the account that either has been created or identified for authentication, as well as your plugin ID and the entire userinfo within the $context variable.

By enabling the property mapping for every login within the OpenID Connect settings, this hook will be fired on every user login.

In your hook implementation you can then add the roles like this:

/**
 * Implements hook_openid_connect_userinfo_save().
 */
function mymodule_openid_connect_userinfo_save(UserInterface $account, array $context) {
  if ($context['plugin_id'] !== 'generic' || !isset($context['userinfo']['roles'])) {
    return;
  }

  foreach ($userinfo['roles'] as $rid) {
    if ($role = Role::load('$rid')) {
      $account->addRole($rid);
    }
  }  
}

PS.: For sure a simplified example, as you might also wish to remove roles?

Let me know, if it worked.

I’m not able to get the user roles inside the $context[‘userinfo’] array. This is all that is present in the array when I debug inside an implementation of hook_openid_connect_userinfo_save()

Array ( 
  [sub] => 5 
  [email] => testingroles@email.com 
  [email_verified] => 1 
  [name] => test5 
  [preferred_username] => test5 
  [zoneinfo] => America/New_York 
)

My identity provider is a vanilla D7 site using OAuth2 Server module.

Figured it out. Adding this here, in case someone else is doing something similar.

On the D7 running OAuth2 Server module, had to use a hook to add the Drupal roles to the claims:

/**
 * Implements hook_oauth2_server_user_claims_alter().
 */
function MY_MODULE_oauth2_server_user_claims_alter(&$claims, $account, $requested_scopes) {
  if (!in_array('profile', $requested_scopes)) {
    return;
  }

  $claims['roles'] = array_values($account->roles);
}

Then on the D8 site, using OpenID Connect module, you can use hook_openid_connect_userinfo_save() to grab the roles and do something with them:

use Drupal\user\UserInterface;
use Drupal\user\Entity\Role;

/**
 * Implements hook_openid_connect_userinfo_save().
 */
function MY_MODULE_openid_connect_userinfo_save(UserInterface $account, array $context) {
  if ($context['plugin_id'] !== 'generic' || !isset($context['userinfo']['roles'])) {
    return;
  }

  // Sync roles
  foreach ($context['userinfo']['roles'] as $rid) {
    if ($role == Role::load($rid)) {
      $account->addRole(strtolower($rid));
    }
  }
}

I'm way past this, sorry.
I have a lot of it going on.

Is my admittedly small amount of experience with Drupal the issue or doesn't the hook_openid_connect_userinfo_save() hook exist anymore?
I really need the roles.
I've tried hook_openid_connect_userinfo_alter but the roles aren't being passed in.
Thanks

Hello @mario-steinitz,
Some how the hook function hook_openid_connect_userinfo_save() is not triggered and unable to proceed with the Drupal roles mapping.

My custom module has this hook, but it is not triggered.
Any help or suggestion would be really helpful. Thanks.

@rcbcool (and @rmrossa) This hook_openid_connect_userinfo_save() was added after 8.x-1.0-beta5 was released, and is only available in the new 8.x-1.0-beta6

Please open a new issue if you need further assistance with that hook. I'm closing this issue as per #6