OIDC preferred_username
#117
Comments
|
Hi again Chris, thanks for another excellent issue. I think this may actually be two issues in one. First being "can we make preferred_username configurable" which is a definite yes, and a second security vulnerability in the fact I'm using preferred_username as an ID rather than a GUID in the claim. I definitely agree that the first issue should be configurable and you're more than welcome to open a MR for that. |
|
I think for using the GUID (from the {
"username": "<uuid/guid>",
"displayname": "<preferred username>"
...
}Certainly a process that requires an admin to pre-create user accounts would be tricky, because locating the GUIDs are a pain. Once the users have performed an initial login, the admin can then perform other tasks like managing their group memberships (beyond what the groups claim may have) and register tokens etc. |
|
I've been meaning to make device registration SSO enabled for sometime actually. So it could be quite nice to have it that on first registration it creates the association. Just makes it basically impossible to automate. |
|
looks like in version 8, in the Line 20 in 85ab816 I just cant see anywhere its set, and there isnt a corresponding option used when loading from the config file |
|
Ah I am incredibly dumb and forgot that I'd implemented this: This is in the oidc provider, you can configure it via the administrative UI under settings. deviceUsername := info.GetPreferredUsername()
if len(o.details.DeviceUsernameClaim) != 0 {
deviceUsernameClaim, ok := tokens.IDTokenClaims.GetClaim(o.details.DeviceUsernameClaim).(string)
if !ok {
log.Println("Error, Device Username Claim set but idP has not set attribute in users token")
http.Error(w, "Server Error", http.StatusInternalServerError)
return
}
deviceUsername = deviceUsernameClaim
} |
|
Yeah, I think the corresponding struct field just needs to be added here: Line 104 in 85ab816 |
|
Ah yes, it does. I've just left it being configurable in the administrative UI rather than adding it to the json file. Apologies! |
|
I've just updated my comments to be less incorrect haha |
|
Finally getting back around to this. I'll be using the |
|
My solution to the security portion of this issue is just to store and check the Idp provided subject. So its probably no the best solution. But it is the one that makes this a security non-issue, and doesnt require significant reworking of users within wag. |
NHAS
added
the
needs testing (on unstable)
|
Hmm, seems this was somehow reverted and Im not sure how. I'll be adding it back today |
Hi
I'm using AzureAD as the OIDC provider, and for some reason, when processing the
preferred_usernameclaim, its returning an empty string. Would it be possible to expose the claim used for the username as a configurable.Additionally, the preferred_username is listed as "mutable" and not recommended for use as a linking identifier (at least according to MS - https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference). Previously when I've done OIDC stuff with MS, my user model had a
UsernameandDisplayname(Displaynamedefaulted toUsername), and then when using OIDC, the username value would be sourced from theoidclaim and the display name would be sourced frompreferred_username/name/email(configurable probably).The issue with the
oidclaim without the differentiation of username vs displayname is that theoidis a GUID which makes no sense in a UI.Happy to help with dev, if you think this is an issue worth looking at. Happy to, as a first cut, just provide an MR making the username claim configurable (default to
preferred_username). Later look at updating the user model to introduce the username vs displayname conceptThe text was updated successfully, but these errors were encountered: