From df98dd6aab7286710ee76d2f8686b0ace33561fc Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Tue, 30 Nov 2021 17:18:06 +0100
Subject: [PATCH] OIDC: fallback to "email" if IDP doesn't provide
 "preferred_username" claim

Some IDPs (e.g. Authelia) don't add the "preferred_username" claim.
Fallback to the "email" claim in that case.

Fixes: #2644
---
 changelog/unreleased/user-claim-fallback.md | 3 +++
 proxy/pkg/user/backend/accounts.go          | 8 ++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 changelog/unreleased/user-claim-fallback.md

diff --git a/changelog/unreleased/user-claim-fallback.md b/changelog/unreleased/user-claim-fallback.md
new file mode 100644
index 00000000000..b46cdbcc956
--- /dev/null
+++ b/changelog/unreleased/user-claim-fallback.md
@@ -0,0 +1,3 @@
+Change: OIDC: fallback to "email" if IDP doesn't provide "preferred_username" claim
+
+https://github.com/owncloud/ocis/issues/2644
diff --git a/proxy/pkg/user/backend/accounts.go b/proxy/pkg/user/backend/accounts.go
index d05a69465ee..1c9fd0b833c 100644
--- a/proxy/pkg/user/backend/accounts.go
+++ b/proxy/pkg/user/backend/accounts.go
@@ -123,8 +123,12 @@ func (a accountsServiceBackend) CreateUserFromClaims(ctx context.Context, claims
 		}
 	}
 	if req.Account.PreferredName, ok = claims[oidc.PreferredUsername].(string); !ok {
-		a.logger.Warn().Msg("Missing preferred_username claim")
-	} else {
+		a.logger.Warn().Msg("Missing preferred_username claim, falling back to email")
+		if req.Account.PreferredName, ok = claims[oidc.Email].(string); !ok {
+			a.logger.Debug().Msg("Missing email claim as well")
+		}
+	}
+	if req.Account.PreferredName != "" {
 		// also use as on premises samaccount name
 		req.Account.OnPremisesSamAccountName = req.Account.PreferredName
 	}