Allow preferred_username as username source for OIDC (#30454)

This PR adds the preferred_username claim as a possible username source
for the oauth2_client.

Closes #21518
This commit is contained in:
SimonErm 2024-04-16 07:41:39 +02:00 committed by GitHub
parent cf9061f44a
commit 6ba0c371c2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 15 additions and 4 deletions

View File

@ -1553,8 +1553,9 @@ LEVEL = Info
;; The source of the username for new oauth2 accounts: ;; The source of the username for new oauth2 accounts:
;; userid = use the userid / sub attribute ;; userid = use the userid / sub attribute
;; nickname = use the nickname attribute ;; nickname = use the nickname attribute
;; preferred_username = use the preferred_username attribute
;; email = use the username part of the email attribute ;; email = use the username part of the email attribute
;; Note: `nickname` and `email` options will normalize input strings using the following criteria: ;; Note: `nickname`, `preferred_username` and `email` options will normalize input strings using the following criteria:
;; - diacritics are removed ;; - diacritics are removed
;; - the characters in the set `['´\x60]` are removed ;; - the characters in the set `['´\x60]` are removed
;; - the characters in the set `[\s~+]` are replaced with `-` ;; - the characters in the set `[\s~+]` are replaced with `-`

View File

@ -608,9 +608,10 @@ And the following unique queues:
- `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users. - `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users.
- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts: - `USERNAME`: **nickname**: The source of the username for new oauth2 accounts:
- `userid` - use the userid / sub attribute - `userid` - use the userid / sub attribute
- `nickname` - use the nickname attribute - `nickname` - use the nickname
- `preferred_username` - use the preferred_username
- `email` - use the username part of the email attribute - `email` - use the username part of the email attribute
- Note: `nickname` and `email` options will normalize input strings using the following criteria: - Note: `nickname`, `preferred_username` and `email` options will normalize input strings using the following criteria:
- diacritics are removed - diacritics are removed
- the characters in the set `['´\x60]` are removed - the characters in the set `['´\x60]` are removed
- the characters in the set `[\s~+]` are replaced with `-` - the characters in the set `[\s~+]` are replaced with `-`

View File

@ -22,11 +22,13 @@ const (
OAuth2UsernameNickname OAuth2UsernameType = "nickname" OAuth2UsernameNickname OAuth2UsernameType = "nickname"
// OAuth2UsernameEmail username of oauth2 email field will be used as gitea name // OAuth2UsernameEmail username of oauth2 email field will be used as gitea name
OAuth2UsernameEmail OAuth2UsernameType = "email" OAuth2UsernameEmail OAuth2UsernameType = "email"
// OAuth2UsernameEmail username of oauth2 preferred_username field will be used as gitea name
OAuth2UsernamePreferredUsername OAuth2UsernameType = "preferred_username"
) )
func (username OAuth2UsernameType) isValid() bool { func (username OAuth2UsernameType) isValid() bool {
switch username { switch username {
case OAuth2UsernameUserid, OAuth2UsernameNickname, OAuth2UsernameEmail: case OAuth2UsernameUserid, OAuth2UsernameNickname, OAuth2UsernameEmail, OAuth2UsernamePreferredUsername:
return true return true
} }
return false return false

View File

@ -386,6 +386,13 @@ func getUserName(gothUser *goth.User) (string, error) {
switch setting.OAuth2Client.Username { switch setting.OAuth2Client.Username {
case setting.OAuth2UsernameEmail: case setting.OAuth2UsernameEmail:
return user_model.NormalizeUserName(strings.Split(gothUser.Email, "@")[0]) return user_model.NormalizeUserName(strings.Split(gothUser.Email, "@")[0])
case setting.OAuth2UsernamePreferredUsername:
preferredUsername, exists := gothUser.RawData["preferred_username"]
if exists {
return user_model.NormalizeUserName(preferredUsername.(string))
} else {
return "", fmt.Errorf("preferred_username is missing in received user data but configured as username source for user_id %q. Check if OPENID_CONNECT_SCOPES contains profile", gothUser.UserID)
}
case setting.OAuth2UsernameNickname: case setting.OAuth2UsernameNickname:
return user_model.NormalizeUserName(gothUser.NickName) return user_model.NormalizeUserName(gothUser.NickName)
default: // OAuth2UsernameUserid default: // OAuth2UsernameUserid