Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC claim for preferred username #2798

Closed
laurivosandi opened this issue Jan 14, 2022 · 8 comments · Fixed by #2801
Closed

OIDC claim for preferred username #2798

laurivosandi opened this issue Jan 14, 2022 · 8 comments · Fixed by #2801
Labels
type/feature Request for adding a new feature

Comments

@laurivosandi
Copy link

Looks like "standard" one is name, at least that's what Harbor suggests using.

Please add the username claim that would allow forwarding username from AD
@laurivosandi laurivosandi added the type/feature Request for adding a new feature label Jan 14, 2022
@james-d-elliott
Copy link
Member

james-d-elliott commented Jan 15, 2022
edited
Loading

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

We already set the name claim as the users display name if the profile scope is requested. We can set the preferred_username claim as well, though sub is already set to this. If harbor really expects name to be the username it's ignoring the specification though as far as I can tell.

Also it looks like in the harbor 2.4 docs that there should be a configuration attribute named "Username Claim" when you configure automatic onboarding. Try setting this to sub.

@james-d-elliott james-d-elliott mentioned this issue Jan 15, 2022
Merged
@laurivosandi
Copy link
Author

Ah nice, maybe it's worth clarifying somewhere which claims Authelia supports out of the box? Maybe somewhere here? https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml#L975

@james-d-elliott
Copy link
Member

It's already clearly outlined in the docs: https://www.authelia.com/docs/configuration/identity-providers/oidc.html#scope-definitions

james-d-elliott added a commit that referenced this issue Jan 18, 2022
@james-d-elliott
fix(oidc): add preferred username claim (#2801)
06641cd 
This adds the missing preferred username claim to the ID Token for OIDC.

Fixes #2798
@james-d-elliott
Copy link
Member

@laurivosandi just letting you know we added the preferred_username claim which should be available in the next patch/minor release.

@laurivosandi
Copy link
Author

laurivosandi commented Jan 19, 2022
edited
Loading

I guess the root problem here was being newcomer to OIDC in general (scopes vs claims). Thanks for clarifying anyway :)

@james-d-elliott
Copy link
Member

No drama at all! @laurivosandi just a forward warning, based on some intense reading of the spec, it's expected sub will change in the future.

@laurivosandi
Copy link
Author

I noticed that sub seems to insert now some (user?) UUID?

@james-d-elliott
Copy link
Member

Yes, it's an opaque identifier in the form of a UUID v4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/feature Request for adding a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(oidc): add preferred username claim authelia/authelia
2 participants
@laurivosandi @james-d-elliott