feat: Add ability to map OIDC attributes and ignore username

Closes #554
2025-07-19 05:09:43 +02:00 · 2024-01-25 23:01:59 +01:00 · 2024-01-25 23:01:59 +01:00 · 0d39a7567f
commit 0d39a7567f
parent 76a18d06d6
13 changed files with 112 additions and 72 deletions
--- a/server/api/controllers/users/update-username.js
+++ b/server/api/controllers/users/update-username.js
@ -53,11 +53,7 @@ module.exports = {
  async fn(inputs) {
    const { currentUser } = this.req;

-    if (inputs.id === currentUser.id) {
-      if (!inputs.currentPassword) {
-        throw Errors.INVALID_CURRENT_PASSWORD;
-      }
-    } else if (!currentUser.isAdmin) {
+    if (inputs.id !== currentUser.id && !currentUser.isAdmin) {
      throw Errors.USER_NOT_FOUND; // Forbidden
    }

@ -67,15 +63,18 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

-    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
+    if (user.email === sails.config.custom.defaultAdminEmail) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }

-    if (
-      inputs.id === currentUser.id &&
-      !bcrypt.compareSync(inputs.currentPassword, user.password)
-    ) {
-      throw Errors.INVALID_CURRENT_PASSWORD;
+    if (user.isSso) {
+      if (!sails.config.custom.oidcIgnoreUsername) {
+        throw Errors.NOT_ENOUGH_RIGHTS;
+      }
+    } else if (inputs.id === currentUser.id) {
+      if (!inputs.currentPassword || !bcrypt.compareSync(inputs.currentPassword, user.password)) {
+        throw Errors.INVALID_CURRENT_PASSWORD;
+      }
    }

    const values = _.pick(inputs, ['username']);
--- a/server/api/helpers/users/get-or-create-one-using-oidc.js
+++ b/server/api/helpers/users/get-or-create-one-using-oidc.js
@ -38,7 +38,10 @@ module.exports = {
      throw 'invalidCodeOrNonce';
    }

-    if (!userInfo.email || !userInfo.name) {
+    if (
+      !userInfo[sails.config.custom.oidcEmailAttribute] ||
+      !userInfo[sails.config.custom.oidcNameAttribute]
+    ) {
      throw 'missingValues';
    }

@ -56,12 +59,14 @@ module.exports = {

    const values = {
      isAdmin,
-      email: userInfo.email,
+      email: userInfo[sails.config.custom.oidcEmailAttribute],
      isSso: true,
-      name: userInfo.name,
-      username: userInfo.preferred_username,
+      name: userInfo[sails.config.custom.oidcNameAttribute],
      subscribeToOwnCards: false,
    };
+    if (!sails.config.custom.oidcIgnoreUsername) {
+      values.username = userInfo[sails.config.custom.oidcUsernameAttribute];
+    }

    let user;
    // This whole block technically needs to be executed in a transaction
@ -95,7 +100,10 @@ module.exports = {
      });
    }

-    const updateFieldKeys = ['email', 'isSso', 'name', 'username'];
+    const updateFieldKeys = ['email', 'isSso', 'name'];
+    if (!sails.config.custom.oidcIgnoreUsername) {
+      updateFieldKeys.push('username');
+    }
    if (!sails.config.custom.oidcIgnoreRoles) {
      updateFieldKeys.push('isAdmin');
    }
--- a/server/api/models/User.js
+++ b/server/api/models/User.js
@ -116,6 +116,7 @@ module.exports = {
      ..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
      isLocked: this.isSso || isDefaultAdmin,
      isRoleLocked: (this.isSso && !sails.config.custom.oidcIgnoreRoles) || isDefaultAdmin,
+      isUsernameLocked: (this.isSso && !sails.config.custom.oidcIgnoreUsername) || isDefaultAdmin,
      isDeletionLocked: isDefaultAdmin,
      avatarUrl:
        this.avatar &&