feat: allow to set the username claim field in OIDC

janLo · janLo · commit d10b30fc67af · 2022-12-23T08:50:59.000+01:00
Gitlab does not set the preferred_username field.

Therefore, coder generates something from the users email address, which
is not very helpful. This allows the administrator to change the field
used for the username (e.g. to "nickname")

Signed-off-by: Jan Losinski &lt;losinski.j@gmail.com&gt;
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -248,6 +248,12 @@ func newConfig() *codersdk.DeploymentConfig {
 				Flag:    "oidc-ignore-email-verified",
 				Default: false,
 			},
+			UsernameField: &codersdk.DeploymentConfigField[string]{
+				Name:    "OIDC Username field",
+				Usage:   "OIDC claim filed to use as user-name.",
+				Flag:    "oidc-username-field",
+				Default: "preferred_username",
+			},
 		},
 
 		Telemetry: &codersdk.TelemetryConfig{
diff --git a/cli/server.go b/cli/server.go
@@ -526,8 +526,9 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 					Verifier: oidcProvider.Verifier(&oidc.Config{
 						ClientID: cfg.OIDC.ClientID.Value,
 					}),
-					EmailDomain:  cfg.OIDC.EmailDomain.Value,
-					AllowSignups: cfg.OIDC.AllowSignups.Value,
+					EmailDomain:   cfg.OIDC.EmailDomain.Value,
+					AllowSignups:  cfg.OIDC.AllowSignups.Value,
+					UsernameField: cfg.OIDC.UsernameField.Value,
 				}
 			}
 
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -112,6 +112,10 @@ Flags:
                                                      OIDC.
                                                      Consumes $CODER_OIDC_SCOPES (default
                                                      [openid,profile,email])
+      --oidc-username-field string                   OIDC claim filed to use as user-name.
+                                                     Consumes
+                                                     $CODER_OIDC_USERNAME_FILED (default
+                                                     "preferred_username")
       --postgres-url string                          URL of a PostgreSQL database. If empty,
                                                      PostgreSQL binaries will be downloaded
                                                      from Maven
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -880,6 +880,7 @@ func (o *OIDCConfig) OIDCConfig() *coderd.OIDCConfig {
 		}, &oidc.Config{
 			SkipClientIDCheck: true,
 		}),
+		UsernameField: "preferred_username",
 	}
 }
 
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -198,6 +198,8 @@ type OIDCConfig struct {
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
 	IgnoreEmailVerified bool
+	// UsernameField selects the claim field to be used as username
+	UsernameField string
 }
 
 func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
@@ -236,7 +238,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	usernameRaw, ok := claims["preferred_username"]
+	usernameRaw, ok := claims[api.OIDCConfig.UsernameField]
 	var username string
 	if ok {
 		username, _ = usernameRaw.(string)
diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go
@@ -99,6 +99,7 @@ type OIDCConfig struct {
 	IssuerURL           *DeploymentConfigField[string]   `json:"issuer_url" typescript:",notnull"`
 	Scopes              *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
 	IgnoreEmailVerified *DeploymentConfigField[bool]     `json:"ignore_email_verified" typescript:",notnull"`
+	UsernameField       *DeploymentConfigField[string]   `json:"username_filed" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {

Original file line number	Diff line number	Diff line change
`@@ -526,8 +526,9 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`526`	`526`	`Verifier: oidcProvider.Verifier(&oidc.Config{`
`527`	`527`	`ClientID: cfg.OIDC.ClientID.Value,`
`528`	`528`	`}),`
`529`		`- EmailDomain: cfg.OIDC.EmailDomain.Value,`
`530`		`- AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`529`	`+ EmailDomain: cfg.OIDC.EmailDomain.Value,`
	`530`	`+ AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`531`	`+ UsernameField: cfg.OIDC.UsernameField.Value,`
`531`	`532`	`}`
`532`	`533`	`}`
`533`	`534`
Original file line number	Diff line number	Diff line change
`@@ -880,6 +880,7 @@ func (o OIDCConfig) OIDCConfig() coderd.OIDCConfig {`
`880`	`880`	`}, &oidc.Config{`
`881`	`881`	`SkipClientIDCheck: true,`
`882`	`882`	`}),`
	`883`	`+ UsernameField: "preferred_username",`
`883`	`884`	`}`
`884`	`885`	`}`
`885`	`886`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ type OIDCConfig struct {`
`99`	`99`	IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"`
`100`	`100`	Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
`101`	`101`	IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"`
	`102`	+ UsernameField *DeploymentConfigField[string] `json:"username_filed" typescript:",notnull"`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`type TelemetryConfig struct {`