make userName configurable

Documentation/connectors/oidc.md

@@ -71,7 +71,11 @@ connectors:
     # Default: sub
     # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims
     #
-    # userIdKey: nickname
+    # userIDKey: nickname
+    
+    # The set claim is used as user name.
+    # Default: name
+    # userNameKey: nickname
 ```
 
 [oidc-doc]: openid-connect.md

connector/oidc/oidc.go

@@ -47,6 +47,9 @@ type Config struct {
 
 	// Configurable key which contains the user id claim
 	UserIDKey string `json:"userIDKey"`
+
+	// Configurable key which contains the user name claim
+	UserNameKey string `json:"userNameKey"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -131,6 +134,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
 		getUserInfo:               c.GetUserInfo,
 		userIDKey:                 c.UserIDKey,
+		userNameKey:               c.UserNameKey,
 	}, nil
 }
 
@@ -151,6 +155,7 @@ type oidcConnector struct {
 	insecureSkipEmailVerified bool
 	getUserInfo               bool
 	userIDKey                 string
+	userNameKey               string
 }
 
 func (c *oidcConnector) Close() error {
@@ -209,9 +214,13 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 		return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
 	}
 
-	name, found := claims["name"].(string)
+	userNameKey := "name"
+	if c.userNameKey != "" {
+		userNameKey = c.userNameKey
+	}
+	name, found := claims[userNameKey].(string)
 	if !found {
-		return identity, errors.New("missing \"name\" claim")
+		return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
 	}
 	email, found := claims["email"].(string)
 	if !found {

connector/oidc/oidc_test.go

@@ -47,14 +47,18 @@ func TestHandleCallback(t *testing.T) {
 	tests := []struct {
 		name                      string
 		userIDKey                 string
+		userNameKey               string
 		insecureSkipEmailVerified bool
 		expectUserID              string
+		expectUserName            string
 		token                     map[string]interface{}
 	}{
 		{
 			name:           "simpleCase",
 			userIDKey:      "", // not configured
+			userNameKey:    "", // not configured
 			expectUserID:   "subvalue",
+			expectUserName: "namevalue",
 			token: map[string]interface{}{
 				"sub":            "subvalue",
 				"name":           "namevalue",
@@ -66,6 +70,7 @@ func TestHandleCallback(t *testing.T) {
 			name:                      "email_verified not in claims, configured to be skipped",
 			insecureSkipEmailVerified: true,
 			expectUserID:              "subvalue",
+			expectUserName:            "namevalue",
 			token: map[string]interface{}{
 				"sub":   "subvalue",
 				"name":  "namevalue",
@@ -76,6 +81,7 @@ func TestHandleCallback(t *testing.T) {
 			name:           "withUserIDKey",
 			userIDKey:      "name",
 			expectUserID:   "namevalue",
+			expectUserName: "namevalue",
 			token: map[string]interface{}{
 				"sub":            "subvalue",
 				"name":           "namevalue",
@@ -83,6 +89,18 @@ func TestHandleCallback(t *testing.T) {
 				"email_verified": true,
 			},
 		},
+		{
+			name:           "withUserNameKey",
+			userNameKey:    "user_name",
+			expectUserID:   "subvalue",
+			expectUserName: "username",
+			token: map[string]interface{}{
+				"sub":            "subvalue",
+				"user_name":      "username",
+				"email":          "emailvalue",
+				"email_verified": true,
+			},
+		},
 	}
 
 	for _, tc := range tests {
@@ -100,6 +118,7 @@ func TestHandleCallback(t *testing.T) {
 				Scopes:                    []string{"groups"},
 				RedirectURI:               fmt.Sprintf("%s/callback", serverURL),
 				UserIDKey:                 tc.userIDKey,
+				UserNameKey:               tc.userNameKey,
 				InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
 			}
 
@@ -119,7 +138,7 @@ func TestHandleCallback(t *testing.T) {
 			}
 
 			expectEquals(t, identity.UserID, tc.expectUserID)
-			expectEquals(t, identity.Username, "namevalue")
+			expectEquals(t, identity.Username, tc.expectUserName)
 			expectEquals(t, identity.Email, "emailvalue")
 			expectEquals(t, identity.EmailVerified, true)
 		})