Added option to change the OIDC claim regarded as the ID

Defined via a OIDC_EXTERNAL_ID_CLAIM env option.
For #3914
This commit is contained in:
Dan Brown 2023-01-26 16:43:15 +00:00
parent 3202f96181
commit 811be3a36a
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
4 changed files with 27 additions and 2 deletions

View file

@ -268,6 +268,7 @@ OIDC_DUMP_USER_DETAILS=false
OIDC_USER_TO_GROUPS=false
OIDC_GROUPS_CLAIM=groups
OIDC_REMOVE_FROM_GROUPS=false
OIDC_EXTERNAL_ID_CLAIM=sub
# Disable default third-party services such as Gravatar and Draw.IO
# Service-specific options will override this option

View file

@ -198,7 +198,8 @@ class OidcService
*/
protected function getUserDetails(OidcIdToken $token): array
{
$id = $token->getClaim('sub');
$idClaim = $this->config()['external_id_claim'];
$id = $token->getClaim($idClaim);
return [
'external_id' => $id,

View file

@ -8,9 +8,12 @@ return [
// Dump user details after a login request for debugging purposes
'dump_user_details' => env('OIDC_DUMP_USER_DETAILS', false),
// Attribute, within a OpenId token, to find the user's display name
// Claim, within an OpenId token, to find the user's display name
'display_name_claims' => explode('|', env('OIDC_DISPLAY_NAME_CLAIMS', 'name')),
// Claim, within an OpenID token, to use to connect a BookStack user to the OIDC user.
'external_id_claim' => env('OIDC_EXTERNAL_ID_CLAIM', 'sub'),
// OAuth2/OpenId client id, as configured in your Authorization server.
'client_id' => env('OIDC_CLIENT_ID', null),

View file

@ -42,6 +42,7 @@ class OidcTest extends TestCase
'oidc.user_to_groups' => false,
'oidc.groups_claim' => 'group',
'oidc.remove_from_groups' => false,
'oidc.external_id_claim' => 'sub',
]);
}
@ -391,6 +392,25 @@ class OidcTest extends TestCase
$this->assertTrue(auth()->check());
}
public function test_auth_uses_configured_external_id_claim_option()
{
config()->set([
'oidc.external_id_claim' => 'super_awesome_id',
]);
$roleA = Role::factory()->create(['display_name' => 'Wizards']);
$resp = $this->runLogin([
'email' => 'benny@example.com',
'sub' => 'benny1010101',
'super_awesome_id' => 'xXBennyTheGeezXx',
]);
$resp->assertRedirect('/');
/** @var User $user */
$user = User::query()->where('email', '=', 'benny@example.com')->first();
$this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id);
}
public function test_login_group_sync()
{
config()->set([