From 1bf28dac432e67a725e6db1922f3bc801060d7f4 Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Mon, 26 Jun 2023 09:20:34 +0200
Subject: [PATCH] change assign roles logic

Signed-off-by: jkoberg <jkoberg@owncloud.com>
---
 changelog/unreleased/fix-oidc-role-assigner.md | 1 +
 services/proxy/pkg/userroles/oidcroles.go      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/changelog/unreleased/fix-oidc-role-assigner.md b/changelog/unreleased/fix-oidc-role-assigner.md
index 797eb7311..3850abc1f 100644
--- a/changelog/unreleased/fix-oidc-role-assigner.md
+++ b/changelog/unreleased/fix-oidc-role-assigner.md
@@ -5,3 +5,4 @@ This makes no sense as the user is supposed to have only one and the update will
 We still log an error level log to make the admin aware of that.
 
 https://github.com/owncloud/ocis/pull/6605
+https://github.com/owncloud/ocis/pull/6618
diff --git a/services/proxy/pkg/userroles/oidcroles.go b/services/proxy/pkg/userroles/oidcroles.go
index e51232dda..a5db4c10c 100644
--- a/services/proxy/pkg/userroles/oidcroles.go
+++ b/services/proxy/pkg/userroles/oidcroles.go
@@ -93,7 +93,7 @@ func (ra oidcRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user *c
 	}
 	logger.Debug().Interface("assignedRoleIds", assignedRoles).Msg("Currently assigned roles")
 
-	if len(assignedRoles) == 0 || (assignedRoles[0] != roleIDFromClaim) {
+	if len(assignedRoles) != 1 || (assignedRoles[0] != roleIDFromClaim) {
 		logger.Debug().Interface("assignedRoleIds", assignedRoles).Interface("newRoleId", roleIDFromClaim).Msg("Updating role assignment for user")
 		newctx, err := ra.prepareAdminContext()
 		if err != nil {