From 3894cd6f3d81fc30b5f553ac149d7cebf52222e3 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 30 Nov 2021 16:52:49 +0100 Subject: [PATCH] OIDC: fallback to "email" if IDP doesn't provide "preferred_username" claim Some IDPs (e.g. Authelia) don't support the "preferred_username" claim. Fallback to the "email" claim in that case. --- changelog/unreleased/user-claim-fallback.md | 3 +++ pkg/auth/manager/oidc/oidc.go | 14 +++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 changelog/unreleased/user-claim-fallback.md diff --git a/changelog/unreleased/user-claim-fallback.md b/changelog/unreleased/user-claim-fallback.md new file mode 100644 index 00000000000..54fc61a715b --- /dev/null +++ b/changelog/unreleased/user-claim-fallback.md @@ -0,0 +1,3 @@ +Enhancement: OIDC: fallback to "email" if IDP doesn't provide "preferred_username" claim + +https://github.com/cs3org/reva/pull/2314 diff --git a/pkg/auth/manager/oidc/oidc.go b/pkg/auth/manager/oidc/oidc.go index c6dd62b371a..2ed67a26986 100644 --- a/pkg/auth/manager/oidc/oidc.go +++ b/pkg/auth/manager/oidc/oidc.go @@ -135,8 +135,16 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) return nil, nil, fmt.Errorf("no \"email\" attribute found in userinfo: maybe the client did not request the oidc \"email\"-scope") } - if claims["preferred_username"] == nil || claims["name"] == nil { - return nil, nil, fmt.Errorf("no \"preferred_username\" or \"name\" attribute found in userinfo: maybe the client did not request the oidc \"profile\"-scope") + userClaim := "preferred_username" + if claims["preferred_username"] == nil { + if claims["email"] != nil { + userClaim = "email" + } else { + return nil, nil, fmt.Errorf("no \"preferred_username\" and \"email\" attribute found in userinfo: maybe the client did not request the oidc \"profile\"-scope") + } + } + if claims["name"] == nil { + return nil, nil, fmt.Errorf("no \"name\" attribute found in userinfo: maybe the client did not request the oidc \"profile\"-scope") } var uid, gid float64 @@ -168,7 +176,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) u := &user.User{ Id: userID, - Username: claims["preferred_username"].(string), + Username: claims[userClaim].(string), // TODO(labkode) if we can get groups from the claim we need to give the possibility // to the admin to choose what claim provides the groups. // TODO(labkode) ... use all claims from oidc?