Problem

When certain TTL's expire we revalidate or refresh the session (e.g. https://github.com/buzzfeed/sso/blob/master/internal/proxy/oauthproxy.go#L759-L764), which then ends up directly calling the ValidateGroup provider method (https://github.com/buzzfeed/sso/blob/master/internal/proxy/providers/sso.go#L381).

Because here we're not using the validator abstractions, if group validation isn't being utilised, then this causes a 403 with user is no longer in valid groups to be returned, requiring the user to refresh the page to progress further.

Solution

The logic within ValidateGroup to return a success when an empty slice of groups is passed in was removed during some refactoring as, when using 'validator' abstractions this was deemed bad behaviour**, but until we stop calling ValidateGroup directly and use those abstractions everywhere we need to maintain this behaviour.

#275 fixes this in a more permanent, stable fashion by replacing any remaining direct calls to ValidateGroup with calls to the validator abstractions, however until that is merged this is one possible temporary fix.

Notes

**This was deemed bad behaviour because if the group validator is the only validator in use (and not email domains or addresses), then allowing ValidateGroup to return successful if an empty list of groups is passed becomes a loophole to allow the defining of no validators, something which we explicitly prevent (https://github.com/buzzfeed/sso/blob/master/internal/proxy/options.go#L205-L213)