feat: allow configurable username claim field in OIDC (#5507)

janLo · coadler · web-flow · commit de0601d61124 · 2023-01-04T15:16:31.000-06:00
Co-authored-by: Colin Adler &lt;colin1adler@gmail.com&gt;
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -248,6 +248,12 @@ func newConfig() *codersdk.DeploymentConfig {
 				Flag:    "oidc-ignore-email-verified",
 				Default: false,
 			},
+			UsernameField: &codersdk.DeploymentConfigField[string]{
+				Name:    "OIDC Username Field",
+				Usage:   "OIDC claim field to use as the username.",
+				Flag:    "oidc-username-field",
+				Default: "preferred_username",
+			},
 		},
 
 		Telemetry: &codersdk.TelemetryConfig{
diff --git a/cli/server.go b/cli/server.go
@@ -526,8 +526,9 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 					Verifier: oidcProvider.Verifier(&oidc.Config{
 						ClientID: cfg.OIDC.ClientID.Value,
 					}),
-					EmailDomain:  cfg.OIDC.EmailDomain.Value,
-					AllowSignups: cfg.OIDC.AllowSignups.Value,
+					EmailDomain:   cfg.OIDC.EmailDomain.Value,
+					AllowSignups:  cfg.OIDC.AllowSignups.Value,
+					UsernameField: cfg.OIDC.UsernameField.Value,
 				}
 			}
 
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -112,6 +112,9 @@ Flags:
                                                      OIDC.
                                                      Consumes $CODER_OIDC_SCOPES (default
                                                      [openid,profile,email])
+      --oidc-username-field string                   OIDC claim field to use as the username.
+                                                     Consumes $CODER_OIDC_USERNAME_FIELD
+                                                     (default "preferred_username")
       --postgres-url string                          URL of a PostgreSQL database. If empty,
                                                      PostgreSQL binaries will be downloaded
                                                      from Maven
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
@@ -1975,6 +1975,9 @@ const docTemplate = `{
                 },
                 "scopes": {
                     "$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"
+                },
+                "username_field": {
+                    "$ref": "#/definitions/codersdk.DeploymentConfigField-string"
                 }
             }
         },
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
@@ -1795,6 +1795,9 @@
         },
         "scopes": {
           "$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"
+        },
+        "username_field": {
+          "$ref": "#/definitions/codersdk.DeploymentConfigField-string"
         }
       }
     },
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -880,6 +880,7 @@ func (o *OIDCConfig) OIDCConfig() *coderd.OIDCConfig {
 		}, &oidc.Config{
 			SkipClientIDCheck: true,
 		}),
+		UsernameField: "preferred_username",
 	}
 }
 
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -198,6 +198,9 @@ type OIDCConfig struct {
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
 	IgnoreEmailVerified bool
+	// UsernameField selects the claim field to be used as the created user's
+	// username.
+	UsernameField string
 }
 
 func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
@@ -236,7 +239,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	usernameRaw, ok := claims["preferred_username"]
+	usernameRaw, ok := claims[api.OIDCConfig.UsernameField]
 	var username string
 	if ok {
 		username, _ = usernameRaw.(string)
diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go
@@ -99,6 +99,7 @@ type OIDCConfig struct {
 	IssuerURL           *DeploymentConfigField[string]   `json:"issuer_url" typescript:",notnull"`
 	Scopes              *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
 	IgnoreEmailVerified *DeploymentConfigField[bool]     `json:"ignore_email_verified" typescript:",notnull"`
+	UsernameField       *DeploymentConfigField[string]   `json:"username_field" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {
diff --git a/docs/api/general.md b/docs/api/general.md
@@ -535,6 +535,17 @@ curl -X GET http://coder-server:8080/api/v2/config/deployment \
       "shorthand": "string",
       "usage": "string",
       "value": "string"
+    },
+    "username_field": {
+      "default": "string",
+      "enterprise": true,
+      "flag": "string",
+      "hidden": true,
+      "name": "string",
+      "secret": true,
+      "shorthand": "string",
+      "usage": "string",
+      "value": "string"
     }
   },
   "pg_connection_url": {
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
@@ -1119,6 +1119,17 @@ CreateParameterRequest is a structure used to create a new parameter value for a
       "shorthand": "string",
       "usage": "string",
       "value": "string"
+    },
+    "username_field": {
+      "default": "string",
+      "enterprise": true,
+      "flag": "string",
+      "hidden": true,
+      "name": "string",
+      "secret": true,
+      "shorthand": "string",
+      "usage": "string",
+      "value": "string"
     }
   },
   "pg_connection_url": {
@@ -2072,6 +2083,17 @@ CreateParameterRequest is a structure used to create a new parameter value for a
     "shorthand": "string",
     "usage": "string",
     "value": "string"
+  },
+  "username_field": {
+    "default": "string",
+    "enterprise": true,
+    "flag": "string",
+    "hidden": true,
+    "name": "string",
+    "secret": true,
+    "shorthand": "string",
+    "usage": "string",
+    "value": "string"
   }
 }
 ```
@@ -2087,6 +2109,7 @@ CreateParameterRequest is a structure used to create a new parameter value for a
 | `ignore_email_verified` | [codersdk.DeploymentConfigField-bool](#codersdkdeploymentconfigfield-bool)                 | false    |              |             |
 | `issuer_url`            | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string)             | false    |              |             |
 | `scopes`                | [codersdk.DeploymentConfigField-array_string](#codersdkdeploymentconfigfield-array_string) | false    |              |             |
+| `username_field`        | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string)             | false    |              |             |
 
 ## codersdk.Parameter
 
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -452,6 +452,7 @@ export interface OIDCConfig {
   readonly issuer_url: DeploymentConfigField<string>
   readonly scopes: DeploymentConfigField<string[]>
   readonly ignore_email_verified: DeploymentConfigField<boolean>
+  readonly username_field: DeploymentConfigField<string>
 }
 
 // From codersdk/organizations.go

Original file line number	Diff line number	Diff line change
`@@ -526,8 +526,9 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`526`	`526`	`Verifier: oidcProvider.Verifier(&oidc.Config{`
`527`	`527`	`ClientID: cfg.OIDC.ClientID.Value,`
`528`	`528`	`}),`
`529`		`- EmailDomain: cfg.OIDC.EmailDomain.Value,`
`530`		`- AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`529`	`+ EmailDomain: cfg.OIDC.EmailDomain.Value,`
	`530`	`+ AllowSignups: cfg.OIDC.AllowSignups.Value,`
	`531`	`+ UsernameField: cfg.OIDC.UsernameField.Value,`
`531`	`532`	`}`
`532`	`533`	`}`
`533`	`534`
Original file line number	Diff line number	Diff line change
@@ -1975,6 +1975,9 @@ const docTemplate = `{
`1975`	`1975`	`},`
`1976`	`1976`	`"scopes": {`
`1977`	`1977`	`"$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"`
	`1978`	`+ },`
	`1979`	`+ "username_field": {`
	`1980`	`+ "$ref": "#/definitions/codersdk.DeploymentConfigField-string"`
`1978`	`1981`	`}`
`1979`	`1982`	`}`
`1980`	`1983`	`},`
Original file line number	Diff line number	Diff line change
`@@ -1795,6 +1795,9 @@`
`1795`	`1795`	`},`
`1796`	`1796`	`"scopes": {`
`1797`	`1797`	`"$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"`
	`1798`	`+ },`
	`1799`	`+ "username_field": {`
	`1800`	`+ "$ref": "#/definitions/codersdk.DeploymentConfigField-string"`
`1798`	`1801`	`}`
`1799`	`1802`	`}`
`1800`	`1803`	`},`
Original file line number	Diff line number	Diff line change
`@@ -880,6 +880,7 @@ func (o OIDCConfig) OIDCConfig() coderd.OIDCConfig {`
`880`	`880`	`}, &oidc.Config{`
`881`	`881`	`SkipClientIDCheck: true,`
`882`	`882`	`}),`
	`883`	`+ UsernameField: "preferred_username",`
`883`	`884`	`}`
`884`	`885`	`}`
`885`	`886`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ type OIDCConfig struct {`
`99`	`99`	IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"`
`100`	`100`	Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
`101`	`101`	IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"`
	`102`	+ UsernameField *DeploymentConfigField[string] `json:"username_field" typescript:",notnull"`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`type TelemetryConfig struct {`
Original file line number	Diff line number	Diff line change
`@@ -452,6 +452,7 @@ export interface OIDCConfig {`
`452`	`452`	`readonly issuer_url: DeploymentConfigField<string>`
`453`	`453`	`readonly scopes: DeploymentConfigField<string[]>`
`454`	`454`	`readonly ignore_email_verified: DeploymentConfigField<boolean>`
	`455`	`+ readonly username_field: DeploymentConfigField<string>`
`455`	`456`	`}`
`456`	`457`
`457`	`458`	`// From codersdk/organizations.go`