From 82ee75daab4a85620102d1f95c9b7409b87ae6c3 Mon Sep 17 00:00:00 2001
From: yusing <yusing@6uo.me>
Date: Sun, 25 May 2025 09:14:54 +0800
Subject: [PATCH] fix(oidc): restore old user matching behavior

---
 internal/auth/oidc.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index 312ecd9..7f9d4ed 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -201,11 +201,12 @@ func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
 
 func (auth *OIDCProvider) checkAllowed(user string, groups []string) bool {
 	userAllowed := slices.Contains(auth.allowedUsers, user)
-	if !userAllowed {
-		return false
+	if userAllowed {
+		return true
 	}
 	if len(auth.allowedGroups) == 0 {
-		return true
+		// user is not allowed, but no groups are allowed
+		return false
 	}
 	return len(utils.Intersect(groups, auth.allowedGroups)) > 0
 }