traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard

Published 20 hours ago verified publisher icon thomseddon

Can username be customized other than email?

Open robsonyeg opened this issue 4 years ago • 7 comments

Hello,

I am using Keycloak as the IDP. In Keycloak, the user's attributes have email, username and sometimes the username is not the same as email.

Is it possible to make it customizable to choose which attributes of a user be returned as the authenticated user?

Thanks,

robsonyeg avatar Jul 09 '21 18:07 robsonyeg

This would also come in handy for AzureAD (OIDC as well). There it would be better to have the "User Principal Name" within the AzureAD instead of the E-Mail address. Any idea on how to implement this?

jmichler avatar Aug 03 '21 14:08 jmichler

Could use that feature as well

TheDwoon avatar Aug 03 '21 17:08 TheDwoon

Keycloak user at home and I found this project because OIDC auth is an "enterprise" feature for traefik. Boo-urns :(

Also OIDC is everywhere anymore but a lot of implementations vary subtly, so more parameters means support for even more platforms beyond Keycloak and Azure 👍

DanceMore avatar Oct 15 '21 17:10 DanceMore

See #159 and #241.

thmo avatar Dec 02 '21 21:12 thmo

Would also be nice to have other attributes mapped to other headers, such as X-Forwarded-Email.

adyanth avatar Mar 20 '22 14:03 adyanth

For Azure the following works better, obviously it would be better to make this "really configurable":

diff --git a/internal/provider/providers.go b/internal/provider/providers.go
index ac863df..c56ea20 100644
--- a/internal/provider/providers.go
+++ b/internal/provider/providers.go
@@ -30,6 +30,7 @@ type token struct {
 // User is the authenticated user
 type User struct {
        Email string `json:"email"`
+       PrefUser string `json:"preferred_username"`
 }

 // OAuthProvider is a provider using the oauth2 library
diff --git a/internal/server.go b/internal/server.go
index 2e20df5..8e978a2 100644
--- a/internal/server.go
+++ b/internal/server.go
@@ -186,10 +186,11 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
                }

                // Generate cookie
-               http.SetCookie(w, MakeCookie(r, user.Email))
+               http.SetCookie(w, MakeCookie(r, user.PrefUser))
                logger.WithFields(logrus.Fields{
                        "provider": providerName,
                        "redirect": redirect,
+                       "prefUser":  user.PrefUser,
                        "user":     user.Email,
                }).Info("Successfully generated auth cookie, redirecting user.")

jmichler avatar Dec 03 '22 22:12 jmichler

This whole thing ought to be a configurable mapping between OIDC attributes and HTTP headers

laurivosandi avatar Dec 08 '22 07:12 laurivosandi