Allow alternatives to preferred_username (#200)

README.md

@@ -68,6 +68,7 @@ Open id configuration
 | `keycloak.enable-basic-auth` | `true` | See [Keycloak configuration](https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config) |
 | `keycloak.bearer-only` | `true` | See [Keycloak configuration](https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config) |
 | `keycloak.disable-trust-manager` | `false` | See [Keycloak configuration](https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config) |
+| `oidc.username-claim` | `preferred_username` | Claim to be used as user id. Should respect [RFC 1123](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names) |
 
 Security configuration :
 | Key | Default | Description |

onyxia-api/src/main/java/fr/insee/onyxia/api/security/KeycloakUserProvider.java

@@ -11,6 +11,7 @@
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.representations.AccessToken;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -26,6 +27,9 @@ public class KeycloakUserProvider {
 
     @Autowired private HttpRequestUtils httpRequestUtils;
 
+    @Value("${oidc.username-claim}")
+    private String usernameClaim;
+
     @Bean
     @Scope(
             scopeName = WebApplicationContext.SCOPE_REQUEST,
@@ -57,12 +61,13 @@ public UserProvider getUserProvider() {
         return (Region region) -> {
             final AccessToken token = getAccessToken();
             final String tokenString = getAccessTokenString();
+            final String userId = getUsername(token);
             final User user =
                     User.newInstance()
                             .addGroups(getGroupsFromToken(region, token))
                             .setEmail(token.getEmail())
                             .setNomComplet(token.getName())
-                            .setIdep(token.getPreferredUsername())
+                            .setIdep(userId)
                             .setIp(
                                     httpRequestUtils.getClientIpAddressIfServletRequestExist(
                                             ((ServletRequestAttributes)
@@ -78,6 +83,15 @@ public UserProvider getUserProvider() {
         };
     }
 
+    private String getUsername(AccessToken token) {
+        if (usernameClaim == null || "preferred_username".equalsIgnoreCase(usernameClaim)) {
+            return token.getPreferredUsername();
+        } else if ("sub".equals(usernameClaim)) {
+            return token.getSubject();
+        }
+        return token.getOtherClaims().get(usernameClaim).toString();
+    }
+
     private List<String> getGroupsFromToken(Region region, final AccessToken token) {
         List<String> groups =
                 ((List<?>) token.getOtherClaims().getOrDefault("groups", List.of()))
@@ -92,4 +106,12 @@ private List<String> getGroupsFromToken(Region region, final AccessToken token)
         }
         return groups;
     }
+
+    public String getUsernameClaim() {
+        return usernameClaim;
+    }
+
+    public void setUsernameClaim(String usernameClaim) {
+        this.usernameClaim = usernameClaim;
+    }
 }

onyxia-api/src/main/resources/application.properties

@@ -1,6 +1,5 @@
 # Authentication
 authentication.mode=none
-
 # Open id connect authentication
 keycloak.realm=
 keycloak.resource=
@@ -10,24 +9,20 @@ keycloak.public-client=true
 keycloak.enable-basic-auth=true
 keycloak.bearer-only=true
 keycloak.disable-trust-manager=false
-
+oidc.username-claim=preferred_username
 # Catalogs
 catalogs.refresh.ms=300000
-
 # Security
 security.cors.allowed_origins=
-
 # Proxy configuration
 http.proxyHost=
 http.proxyPort=
 http.noProxy=
 http.proxyUsername=
 http.proxyPassword=
-
 # Enable compression by default for responses > 1k
 server.compression.enabled=true
 server.compression.min-response-size=1024
-
 # Open API documentation
 springdoc.swagger-ui.path=/
 # use a public client id (frontend)