add preffered_username to idToken

Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-10 16:43:41 +02:00
parent 4bede5eb80
commit c1b421fa04
12 changed files with 160 additions and 113 deletions
--- a/connector/connector.go
+++ b/connector/connector.go
@@ -23,10 +23,11 @@ type Scopes struct {

 // Identity represents the ID Token claims supported by the server.
 type Identity struct {
-	UserID        string
-	Username      string
-	Email         string
-	EmailVerified bool
+	UserID            string
+	Username          string
+	PreferredUsername string
+	Email             string
+	EmailVerified     bool

 	Groups []string

--- a/connector/github/github.go
+++ b/connector/github/github.go
@@ -266,10 +266,11 @@ func (c *githubConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 	}

 	identity = connector.Identity{
-		UserID:        strconv.Itoa(user.ID),
-		Username:      username,
-		Email:         user.Email,
-		EmailVerified: true,
+		UserID:            strconv.Itoa(user.ID),
+		Username:          username,
+		PreferredUsername: user.Login,
+		Email:             user.Email,
+		EmailVerified:     true,
 	}
 	if c.useLoginAsID {
 		identity.UserID = user.Login
@@ -317,6 +318,7 @@ func (c *githubConnector) Refresh(ctx context.Context, s connector.Scopes, ident
 		username = user.Login
 	}
 	identity.Username = username
+	identity.PreferredUsername = user.Login
 	identity.Email = user.Email

 	// Only set identity.Groups if 'orgs', 'org', or 'groups' scope are specified.
--- a/connector/gitlab/gitlab.go
+++ b/connector/gitlab/gitlab.go
@@ -147,10 +147,11 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 		username = user.Email
 	}
 	identity = connector.Identity{
-		UserID:        strconv.Itoa(user.ID),
-		Username:      username,
-		Email:         user.Email,
-		EmailVerified: true,
+		UserID:            strconv.Itoa(user.ID),
+		Username:          username,
+		PreferredUsername: user.Username,
+		Email:             user.Email,
+		EmailVerified:     true,
 	}
 	if c.useLoginAsID {
 		identity.UserID = user.Username
@@ -197,6 +198,7 @@ func (c *gitlabConnector) Refresh(ctx context.Context, s connector.Scopes, ident
 		username = user.Email
 	}
 	ident.Username = username
+	ident.PreferredUsername = user.Username
 	ident.Email = user.Email

 	if c.groupsRequired(s.Groups) {
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -39,6 +39,7 @@ import (
 //         idAttr: uid
 //         emailAttr: mail
 //         nameAttr: name
+//         preferredUsernameAttr: uid
 //       groupSearch:
 //         # Would translate to the query "(&(objectClass=group)(member=<user uid>))"
 //         baseDN: cn=groups,dc=example,dc=com
@@ -103,9 +104,10 @@ type Config struct {
 		Scope string `json:"scope"`

 		// A mapping of attributes on the user entry to claims.
-		IDAttr    string `json:"idAttr"`    // Defaults to "uid"
-		EmailAttr string `json:"emailAttr"` // Defaults to "mail"
-		NameAttr  string `json:"nameAttr"`  // No default.
+		IDAttr                    string `json:"idAttr"`                // Defaults to "uid"
+		EmailAttr                 string `json:"emailAttr"`             // Defaults to "mail"
+		NameAttr                  string `json:"nameAttr"`              // No default.
+		PreferredUsernameAttrAttr string `json:"preferredUsernameAttr"` // No default.

 		// If this is set, the email claim of the id token will be constructed from the idAttr and
 		// value of emailSuffix. This should not include the @ character.
@@ -341,6 +343,12 @@ func (c *ldapConnector) identityFromEntry(user ldap.Entry) (ident connector.Iden
 		}
 	}

+	if c.UserSearch.PreferredUsernameAttrAttr != "" {
+		if ident.PreferredUsername = getAttr(user, c.UserSearch.PreferredUsernameAttrAttr); ident.PreferredUsername == "" {
+			missing = append(missing, c.UserSearch.PreferredUsernameAttrAttr)
+		}
+	}
+
 	if c.UserSearch.EmailSuffix != "" {
 		ident.Email = ident.Username + "@" + c.UserSearch.EmailSuffix
 	} else if ident.Email = getAttr(user, c.UserSearch.EmailAttr); ident.Email == "" {
@@ -381,6 +389,10 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E
 		req.Attributes = append(req.Attributes, c.UserSearch.NameAttr)
 	}

+	if c.UserSearch.PreferredUsernameAttrAttr != "" {
+		req.Attributes = append(req.Attributes, c.UserSearch.PreferredUsernameAttrAttr)
+	}
+
 	c.logger.Infof("performing ldap search %s %s %s",
 		req.BaseDN, scopeString(req.Scope), req.Filter)
 	resp, err := conn.Search(req)