Support OpenID Connect better in the OAuth2 'custom' provider

The OpenID Connect standard specifies that `sub` contains the user ID. Until now, openQA only looked for a field named `id`. When using Keycloak as identity provider there is no such field, it returns only `sub` as expected in OpenID Connect. To avoid breaking any existing configs, this patch adds a new `id_from` config field which defaults to `id`, so existing behaviour is preserved. Set `id_from = sub` in the OAuth2 provider config to get the new behaviour. Fixes: #5771
os-autoinst · Feb 4, 2025 · 3033a91 · 3033a91
1 parent a95b31e
commit 3033a91
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/lib/OpenQA/Setup.pm b/lib/OpenQA/Setup.pm
@@ -96,6 +96,7 @@ sub read_config ($app) {
             token_label => '',
             nickname_from => '',
             unique_name => '',
+            id_from => 'id',
         },
         hypnotoad => {
             listen => ['http://localhost:9526/'],

diff --git a/lib/OpenQA/WebAPI/Auth/OAuth2.pm b/lib/OpenQA/WebAPI/Auth/OAuth2.pm
@@ -44,6 +44,7 @@ sub auth_setup ($server) {
                 user_url => $config->{user_url},
                 token_scope => $config->{token_scope},
                 token_label => $config->{token_label},
+                id_from => $config->{id_from} || 'id',
                 nickname_from => $config->{nickname_from},
                 unique_name => $config->{unique_name},
             },
@@ -69,16 +70,18 @@ sub update_user ($controller, $main_config, $provider_config, $data) {
         return $controller->render(text => $msg, status => 403);    # return always 403 for consistency
     }
     my $details = $tx->res->json;
-    if (ref $details ne 'HASH' || !$details->{id} || !$details->{$provider_config->{nickname_from}}) {
+    my $id_field = $provider_config->{id_from};
+    my $nickname_field = $provider_config->{nickname_from};
+    if (ref $details ne 'HASH' || !$details->{$id_field} || !$details->{$nickname_field}) {
         log_debug('OAuth2 user provider returned: ' . dumper($details));
         return $controller->render(text => 'User data returned by OAuth2 provider is insufficient', status => 403);
     }
     my $provider_name = $main_config->{provider};
     $provider_name = $provider_config->{unique_name} || $provider_name if $provider_name eq 'custom';
     my $user = $controller->schema->resultset('Users')->create_user(
-        $details->{id},
+        $details->{$id_field},
         provider => "oauth2\@$provider_name",
-        nickname => $details->{$provider_config->{nickname_from}},
+        nickname => $details->{$nickname_field},
         fullname => $details->{name},
         email => $details->{email});
 

diff --git a/t/config.t b/t/config.t
@@ -87,6 +87,7 @@ subtest 'Test configuration default modes' => sub {
             user_url => '',
             token_scope => '',
             token_label => '',
+            id_from => '',
             nickname_from => '',
             unique_name => '',
         },