From 3b4e3415c8a2963f2ea6f09ca58d64f484c1a53b Mon Sep 17 00:00:00 2001
From: Nick Meves <nick.meves@greenhouse.io>
Date: Fri, 2 Jul 2021 22:47:08 -0700
Subject: [PATCH] Override groups on refresh even if empty

---
 providers/oidc.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/providers/oidc.go b/providers/oidc.go
index 28e15cb2..67556ca7 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -196,6 +196,11 @@ func replaceSession(s *sessions.SessionState, newSession *sessions.SessionState)
 	// If it doesn't it's probably better to retain the old one
 	if newSession.IDToken != "" {
 		s.IDToken = newSession.IDToken
+
+		// Override groups even if empty to prevent a user removed
+		// from all groups retaining access after refresh
+		// Only override if IDToken was present to set Groups.
+		s.Groups = newSession.Groups
 	}
 
 	// Only copy over fields if they are present. Otherwise they might've
@@ -207,9 +212,6 @@ func replaceSession(s *sessions.SessionState, newSession *sessions.SessionState)
 	if newSession.User != "" {
 		s.User = newSession.User
 	}
-	if newSession.Groups != nil {
-		s.Groups = newSession.Groups
-	}
 	if newSession.PreferredUsername != "" {
 		s.PreferredUsername = newSession.PreferredUsername
 	}