From 811be3a36ac67d0d098b442d97316e0e4ad8d0db Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Thu, 26 Jan 2023 16:43:15 +0000 Subject: [PATCH] Added option to change the OIDC claim regarded as the ID Defined via a OIDC_EXTERNAL_ID_CLAIM env option. For #3914 --- .env.example.complete | 1 + app/Auth/Access/Oidc/OidcService.php | 3 ++- app/Config/oidc.php | 5 ++++- tests/Auth/OidcTest.php | 20 ++++++++++++++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.env.example.complete b/.env.example.complete index 03e52d6bb..7e6c6ee3c 100644 --- a/.env.example.complete +++ b/.env.example.complete @@ -268,6 +268,7 @@ OIDC_DUMP_USER_DETAILS=false OIDC_USER_TO_GROUPS=false OIDC_GROUPS_CLAIM=groups OIDC_REMOVE_FROM_GROUPS=false +OIDC_EXTERNAL_ID_CLAIM=sub # Disable default third-party services such as Gravatar and Draw.IO # Service-specific options will override this option diff --git a/app/Auth/Access/Oidc/OidcService.php b/app/Auth/Access/Oidc/OidcService.php index a9323d423..1ca5e19a2 100644 --- a/app/Auth/Access/Oidc/OidcService.php +++ b/app/Auth/Access/Oidc/OidcService.php @@ -198,7 +198,8 @@ class OidcService */ protected function getUserDetails(OidcIdToken $token): array { - $id = $token->getClaim('sub'); + $idClaim = $this->config()['external_id_claim']; + $id = $token->getClaim($idClaim); return [ 'external_id' => $id, diff --git a/app/Config/oidc.php b/app/Config/oidc.php index d223a63ef..1f73fb688 100644 --- a/app/Config/oidc.php +++ b/app/Config/oidc.php @@ -8,9 +8,12 @@ return [ // Dump user details after a login request for debugging purposes 'dump_user_details' => env('OIDC_DUMP_USER_DETAILS', false), - // Attribute, within a OpenId token, to find the user's display name + // Claim, within an OpenId token, to find the user's display name 'display_name_claims' => explode('|', env('OIDC_DISPLAY_NAME_CLAIMS', 'name')), + // Claim, within an OpenID token, to use to connect a BookStack user to the OIDC user. + 'external_id_claim' => env('OIDC_EXTERNAL_ID_CLAIM', 'sub'), + // OAuth2/OpenId client id, as configured in your Authorization server. 'client_id' => env('OIDC_CLIENT_ID', null), diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php index 32c2d4ae2..35acb7752 100644 --- a/tests/Auth/OidcTest.php +++ b/tests/Auth/OidcTest.php @@ -42,6 +42,7 @@ class OidcTest extends TestCase 'oidc.user_to_groups' => false, 'oidc.groups_claim' => 'group', 'oidc.remove_from_groups' => false, + 'oidc.external_id_claim' => 'sub', ]); } @@ -391,6 +392,25 @@ class OidcTest extends TestCase $this->assertTrue(auth()->check()); } + public function test_auth_uses_configured_external_id_claim_option() + { + config()->set([ + 'oidc.external_id_claim' => 'super_awesome_id', + ]); + $roleA = Role::factory()->create(['display_name' => 'Wizards']); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'super_awesome_id' => 'xXBennyTheGeezXx', + ]); + $resp->assertRedirect('/'); + + /** @var User $user */ + $user = User::query()->where('email', '=', 'benny@example.com')->first(); + $this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id); + } + public function test_login_group_sync() { config()->set([