diff --git a/src/OpenIDConnect.php b/src/OpenIDConnect.php
index 8526e309562dd144d0aa9e85b6af9025ea803494..93fdabfa069f49e4dd5b0cec8f3b7a931a6e8e19 100644
--- a/src/OpenIDConnect.php
+++ b/src/OpenIDConnect.php
@@ -713,14 +713,18 @@ class OpenIDConnect {
// Map groups to Drupal roles.
$role_mappings = $this->configFactory->get('openid_connect.settings')->get('role_mappings') ?? [];
$user_groups = $userinfo['groups'] ?? [];
- foreach ($role_mappings as $role => $mappings) {
- if (empty(array_intersect($mappings, $user_groups))) {
- // User doesn't have a mapped role. Remove it from their account.
- $account->removeRole($role);
- }
- else {
- // User has a mapped role. Add it to their account.
- $account->addRole($role);
+
+ // Ensure that both role mappings and user groups are set before proceeding.
+ if (!empty($role_mappings) && !empty($user_groups)) {
+ foreach ($role_mappings as $role => $mappings) {
+ if (empty(array_intersect($mappings, $user_groups))) {
+ // User doesn't have a mapped role. Remove it from their account.
+ $account->removeRole($role);
+ }
+ else {
+ // User has a mapped role. Add it to their account.
+ $account->addRole($role);
+ }
}
}
diff --git a/tests/src/Unit/OpenIDConnectTest.php b/tests/src/Unit/OpenIDConnectTest.php
index 66f9d99b78a93998e58bee7f532d7538c7ab3e23..a93c2207532b1b42dff45d5b2064ff3eb4af2cc6 100644
--- a/tests/src/Unit/OpenIDConnectTest.php
+++ b/tests/src/Unit/OpenIDConnectTest.php
@@ -1378,7 +1378,7 @@ class OpenIDConnectTest extends UnitTestCase {
'role2' => ['groupY'],
],
'add' => [],
- 'remove' => ['role1', 'role2'],
+ 'remove' => [],
],
'remove all groups when no groups in userinfo' => [
'userinfo' => [],
@@ -1387,7 +1387,7 @@ class OpenIDConnectTest extends UnitTestCase {
'role2' => ['groupY'],
],
'add' => [],
- 'remove' => ['role1', 'role2'],
+ 'remove' => [],
],
];
}