From 27afe21b453a707fdf752d0ead66bc16d9a37c80 Mon Sep 17 00:00:00 2001
From: Santeri Hurnanen <santeri.hurnanen@fame.fi>
Date: Fri, 20 Dec 2024 12:15:48 +0200
Subject: [PATCH] Disable openid_connect role mapping

This feature was fixed in https://www.drupal.org/project/openid_connect/issues/3492759.
Some of our projects have lingering configuration, so the module started to eat user roles.
Helfi should not use openid_connect role mapping, since we have custom implementation.
---
 helfi_tunnistamo.install | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/helfi_tunnistamo.install b/helfi_tunnistamo.install
index c55253b..d8b0a45 100644
--- a/helfi_tunnistamo.install
+++ b/helfi_tunnistamo.install
@@ -20,6 +20,8 @@ function helfi_tunnistamo_install() : void {
     ->set('user_login_display', 'below')
     // Logout from openid connect provider by default.
     ->set('end_session_enabled', TRUE)
+    // Do not map roles in openid_connect module.
+    ->set('role_mappings', [])
     ->save();
 }
 
@@ -59,3 +61,17 @@ function helfi_tunnistamo_update_9003() : void {
       ->save();
   }
 }
+
+/**
+ * UHF-X: Remove all openid_connect role mappings.
+ *
+ * Tunnistamo module has its own role mapping.
+ *
+ * @see \Drupal\helfi_tunnistamo\Plugin\OpenIDConnectClient\Tunnistamo::mapRoles()
+ */
+function helfi_tunnistamo_update_9004() : void {
+  \Drupal::configFactory()
+    ->getEditable('openid_connect.settings')
+    ->set('role_mappings', [])
+    ->save();
+}