这是indexloc提供的服务,不要输入任何密码
Skip to content

oidc: distinguish between username and preferred_username claims #789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 17, 2025
Merged

oidc: distinguish between username and preferred_username claims #789

merged 2 commits into from
Jun 17, 2025

Conversation

@dezeroku
Copy link
Contributor

@dezeroku dezeroku commented Jun 15, 2025

Check list

According to the contributing guide, A PR should contain:

  • A clear description of why it was opened.
  • A short title that best describes the change.
  • Must pass unit and integration tests, which can be run checked locally prior to opening a PR.
  • Any additional details for functionality not covered by tests.

Description

First of all, thanks for implementing the OIDC feature in the fork!

In current setup, when you want to obtain user's name from the OIDC claims, the preferred_username claim is used.

This is problematic, because depending on the OIDC provider username can be stored in either username or preferred_username claim, most providers even provide both claims.

This PR allows you to decide which claim you want to use to obtain username.

Tested with Hashicorp Vault based OIDC provider.

Additional Details

This change is BREAKING, as it changes the username behaviour, moving the old implementation to preferred_username switch.

On a side note, preferred_username seems to be more fragile, as in most implementations it's mutable and can be changed by the user after account creation.

@gtsteffaniak
Copy link
Owner

gtsteffaniak commented Jun 17, 2025

thanks for the contribution, I tried to do everything based on the oidc spec I was reading online and preferred_username appeared to be the standard.

but giving options definitely makes sense, merging!

@gtsteffaniak gtsteffaniak merged commit 1f1d1c5 into gtsteffaniak:main Jun 17, 2025
@dezeroku dezeroku deleted the oidc-username branch June 17, 2025 01:07
@dezeroku
Copy link
Contributor Author

dezeroku commented Jun 17, 2025

Appreciate the quick response!

For the completeness, I've only now seen that I forgot to add the preferred_username as yet another option in the docs/comments: https://github.com/gtsteffaniak/filebrowser/blob/main/backend/common/settings/auth.go#L60
Might be handy to piggyback it on top of a bigger change.

Similarly for the wiki page.

@gtsteffaniak
Copy link
Owner

gtsteffaniak commented Jun 17, 2025

Right good catch, I can clean that up in a dev branch. I always overwrite the full config wiki every release

@gtsteffaniak gtsteffaniak mentioned this pull request Jun 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dezeroku @gtsteffaniak