feat: allow to set the username claim field in OIDC

janLo · janLo · commit 415439beb818 · 2022-12-22T16:12:11.000+01:00
Gitlab does not set the preferred_username field.

Therefore, coder generates something from the users email address, which
is not very helpful. This allows the administrator to change the field
used for the username (e.g. to "nickname")

Signed-off-by: Jan Losinski &lt;losinski.j@gmail.com&gt;
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -248,6 +248,12 @@ func newConfig() *codersdk.DeploymentConfig {
 				Flag:    "oidc-ignore-email-verified",
 				Default: false,
 			},
+			UsernameField: &codersdk.DeploymentConfigField[string]{
+				Name:    "OIDC Username field",
+				Usage:   "OIDC claim filed to use as user-name.",
+				Flag:    "oidc-username-field",
+				Default: "preferred_username",
+			},
 		},
 
 		Telemetry: &codersdk.TelemetryConfig{
diff --git a/cli/root_test.go b/cli/root_test.go
@@ -124,6 +124,7 @@ ExtractCommandPathsLoop:
 			require.NoError(t, err, "read golden file, run \"make update-golden-files\" and commit the changes")
 			// Remove CRLF newlines (Windows).
 			want = bytes.ReplaceAll(want, []byte{'\r', '\n'}, []byte{'\n'})
+			fmt.Printf(string(got))
 			require.Equal(t, string(want), string(got), "golden file mismatch: %s, run \"make update-golden-files\", verify and commit the changes", gf)
 		})
 	}
diff --git a/cli/server.go b/cli/server.go
@@ -526,8 +526,9 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 					Verifier: oidcProvider.Verifier(&oidc.Config{
 						ClientID: cfg.OIDC.ClientID.Value,
 					}),
-					EmailDomain:  cfg.OIDC.EmailDomain.Value,
-					AllowSignups: cfg.OIDC.AllowSignups.Value,
+					EmailDomain:   cfg.OIDC.EmailDomain.Value,
+					AllowSignups:  cfg.OIDC.AllowSignups.Value,
+					UsernameField: cfg.OIDC.UsernameField.Value,
 				}
 			}
 
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -880,6 +880,7 @@ func (o *OIDCConfig) OIDCConfig() *coderd.OIDCConfig {
 		}, &oidc.Config{
 			SkipClientIDCheck: true,
 		}),
+		UsernameField: "preferred_username",
 	}
 }
 
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -198,6 +198,8 @@ type OIDCConfig struct {
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
 	IgnoreEmailVerified bool
+	// UsernameField selects the claim field to be used as username
+	UsernameField string
 }
 
 func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
@@ -236,7 +238,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	usernameRaw, ok := claims["preferred_username"]
+	usernameRaw, ok := claims[api.OIDCConfig.UsernameField]
 	var username string
 	if ok {
 		username, _ = usernameRaw.(string)
diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go
@@ -99,6 +99,7 @@ type OIDCConfig struct {
 	IssuerURL           *DeploymentConfigField[string]   `json:"issuer_url" typescript:",notnull"`
 	Scopes              *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
 	IgnoreEmailVerified *DeploymentConfigField[bool]     `json:"ignore_email_verified" typescript:",notnull"`
+	UsernameField       *DeploymentConfigField[string]   `json:"username_filed" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ ExtractCommandPathsLoop:`
`124`	`124`	`require.NoError(t, err, "read golden file, run \"make update-golden-files\" and commit the changes")`
`125`	`125`	`// Remove CRLF newlines (Windows).`
`126`	`126`	`want = bytes.ReplaceAll(want, []byte{'\r', '\n'}, []byte{'\n'})`
	`127`	`+ fmt.Printf(string(got))`
`127`	`128`	`require.Equal(t, string(want), string(got), "golden file mismatch: %s, run \"make update-golden-files\", verify and commit the changes", gf)`
`128`	`129`	`})`
`129`	`130`	`}`
Original file line number	Diff line number	Diff line change
`@@ -526,8 +526,9 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`526`	`526`	`Verifier: oidcProvider.Verifier(&oidc.Config{`
`527`	`527`	`ClientID: cfg.OIDC.ClientID.Value,`
`528`	`528`	`}),`
`529`		`- EmailDomain: cfg.OIDC.EmailDomain.Value,`
`530`		`- AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`529`	`+ EmailDomain: cfg.OIDC.EmailDomain.Value,`
	`530`	`+ AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`531`	`+ UsernameField: cfg.OIDC.UsernameField.Value,`
`531`	`532`	`}`
`532`	`533`	`}`
`533`	`534`
Original file line number	Diff line number	Diff line change
`@@ -880,6 +880,7 @@ func (o OIDCConfig) OIDCConfig() coderd.OIDCConfig {`
`880`	`880`	`}, &oidc.Config{`
`881`	`881`	`SkipClientIDCheck: true,`
`882`	`882`	`}),`
	`883`	`+ UsernameField: "preferred_username",`
`883`	`884`	`}`
`884`	`885`	`}`
`885`	`886`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ type OIDCConfig struct {`
`99`	`99`	IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"`
`100`	`100`	Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
`101`	`101`	IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"`
	`102`	+ UsernameField *DeploymentConfigField[string] `json:"username_filed" typescript:",notnull"`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`type TelemetryConfig struct {`