coder · johnstcn · Jun 6, 2024 · Jun 4, 2024 · Jun 4, 2024 · Jun 5, 2024
diff --git a/cli/server.go b/cli/server.go
@@ -169,6 +169,7 @@ func createOIDCConfig(ctx context.Context, vals *codersdk.DeploymentValues) (*co
 		EmailDomain:         vals.OIDC.EmailDomain,
 		AllowSignups:        vals.OIDC.AllowSignups.Value(),
 		UsernameField:       vals.OIDC.UsernameField.String(),
+		NameField:           vals.OIDC.NameField.String(),
 		EmailField:          vals.OIDC.EmailField.String(),
 		AuthURLParams:       vals.OIDC.AuthURLParams.Value,
 		IgnoreUserInfo:      vals.OIDC.IgnoreUserInfo.Value(),

diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -407,6 +407,9 @@ OIDC OPTIONS:
       --oidc-issuer-url string, $CODER_OIDC_ISSUER_URL
           Issuer URL to use for Login with OIDC.
 
+      --oidc-name-field string, $CODER_OIDC_NAME_FIELD (default: name)
+          OIDC claim field to use as the name.
+
       --oidc-group-regex-filter regexp, $CODER_OIDC_GROUP_REGEX_FILTER (default: .*)
           If provided any group name not matching the regex is ignored. This
           allows for filtering out groups that are not needed. This filter is

diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden
@@ -306,6 +306,9 @@ oidc:
   # OIDC claim field to use as the username.
   # (default: preferred_username, type: string)
   usernameField: preferred_username
+  # OIDC claim field to use as the name.
+  # (default: name, type: string)
+  nameField: name
   # OIDC claim field to use as the email.
   # (default: email, type: string)
   emailField: email

diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/httpapi/name.go b/coderd/httpapi/name.go
@@ -91,3 +91,14 @@ func UserRealNameValid(str string) error {
 	}
 	return nil
 }
+
+// NormalizeUserRealName normalizes a user name such that it will pass
+// validation by UserRealNameValid. This is done to avoid blocking
+// little  Bobby  Whitespace  from using Coder.
+func NormalizeRealUsername(str string) string {
+	s := strings.TrimSpace(str)
+	if len(s) > 128 {
+		s = s[:128]
+	}
+	return s
+}
diff --git a/coderd/httpapi/name_test.go b/coderd/httpapi/name_test.go
@@ -1,9 +1,11 @@
 package httpapi_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/moby/moby/pkg/namesgenerator"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/httpapi"
@@ -217,6 +219,10 @@ func TestUserRealNameValid(t *testing.T) {
 		Name  string
 		Valid bool
 	}{
+		{"", true},
+		{" a", false},
+		{"a ", false},
+		{" a ", false},
 		{"1", true},
 		{"A", true},
 		{"A1", true},
@@ -229,17 +235,22 @@ func TestUserRealNameValid(t *testing.T) {
 		{"Małgorzata Kalinowska-Iszkowska", true},
 		{"成龍", true},
 		{". .", true},
-
 		{"Lord Voldemort ", false},
 		{" Bellatrix Lestrange", false},
 		{" ", false},
+		{strings.Repeat("a", 128), true},
+		{strings.Repeat("a", 129), false},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.Name, func(t *testing.T) {
 			t.Parallel()
-			valid := httpapi.UserRealNameValid(testCase.Name)
-			require.Equal(t, testCase.Valid, valid == nil)
+			err := httpapi.UserRealNameValid(testCase.Name)
+			norm := httpapi.NormalizeRealUsername(testCase.Name)
+			normErr := httpapi.UserRealNameValid(norm)
+			assert.NoError(t, normErr)
+			assert.Equal(t, testCase.Valid, err == nil)
+			assert.Equal(t, testCase.Valid, norm == testCase.Name, "invalid name should be different after normalization")
 		})
 	}
 }
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -607,6 +607,9 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ghName := ghUser.GetName()
+	normName := httpapi.NormalizeRealUsername(ghName)
+
 	// If we have a nil GitHub ID, that is a big problem. That would mean we link
 	// this user and all other users with this bug to the same uuid.
 	// We should instead throw an error. This should never occur in production.
@@ -652,6 +655,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		Email:        verifiedEmail.GetEmail(),
 		Username:     ghUser.GetLogin(),
 		AvatarURL:    ghUser.GetAvatarURL(),
+		Name:         normName,
 		DebugContext: OauthDebugContext{},
 	}).SetInitAuditRequest(func(params *audit.RequestParams) (*audit.Request[database.User], func()) {
 		return audit.InitRequest[database.User](rw, params)
@@ -701,6 +705,9 @@ type OIDCConfig struct {
 	// EmailField selects the claim field to be used as the created user's
 	// email.
 	EmailField string
+	// NameField selects the claim field to be used as the created user's
+	// full / given name.
+	NameField string
 	// AuthURLParams are additional parameters to be passed to the OIDC provider
 	// when requesting an access token.
 	AuthURLParams map[string]string
@@ -952,13 +959,22 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// The 'name' is an optional property in Coder. If not specified,
+	// it will be left blank.
+	var name string
+	nameRaw, ok := mergedClaims[api.OIDCConfig.NameField]
+	if ok {
+		name, _ = nameRaw.(string)
+		name = httpapi.NormalizeRealUsername(name)
+	}
+
 	var picture string
 	pictureRaw, ok := mergedClaims["picture"]
 	if ok {
 		picture, _ = pictureRaw.(string)
 	}
 
-	ctx = slog.With(ctx, slog.F("email", email), slog.F("username", username))
+	ctx = slog.With(ctx, slog.F("email", email), slog.F("username", username), slog.F("name", name))
 	usingGroups, groups, groupErr := api.oidcGroups(ctx, mergedClaims)
 	if groupErr != nil {
 		groupErr.Write(rw, r)
@@ -996,6 +1012,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		AllowSignups:        api.OIDCConfig.AllowSignups,
 		Email:               email,
 		Username:            username,
+		Name:                name,
 		AvatarURL:           picture,
 		UsingRoles:          api.OIDCConfig.RoleSyncEnabled(),
 		Roles:               roles,
@@ -1222,6 +1239,7 @@ type oauthLoginParams struct {
 	AllowSignups bool
 	Email        string
 	Username     string
+	Name         string
 	AvatarURL    string
 	// Is UsingGroups is true, then the user will be assigned
 	// to the Groups provided.
@@ -1544,6 +1562,10 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 			user.AvatarURL = params.AvatarURL
 			needsUpdate = true
 		}
+		if user.Name != params.Name {
+			user.Name = params.Name
+			needsUpdate = true
+		}
 
 		// If the upstream email or username has changed we should mirror
 		// that in Coder. Many enterprises use a user's email/username as