hawkbit icon indicating copy to clipboard operation
hawkbit copied to clipboard
verified publisher icon eclipse

align OIDC username attribute name lookup

Open mdaur opened this issue 4 years ago • 2 comments

Signed-off-by: Martin Daur [email protected] This fix aligns the behaviour hence OIDC username attribute name lookup at these two places:

  • OidcBearerTokenAuthenticationFilter/doFilter
  • JwtAuthoritiesOidcUserService/loadUser

Additionally, this fix checks the existence of the claim which is set by the Spring user-name-attribute property. Doing so allows OIDC scenarios in which the userNameAttributeName might not be available in case of different OAuth flows. E.g. in Azure AD preferredUsername is available for OAuth 2.0 auth code grant and OAuth 2.0 device code flow but it is not available for Oauth 2.0 client credentials grants with shared secrets or certificates.

To align with the Spring user-name-attribute property (spring.security.oauth2.client.provider) it makes sense to return the name of the OidcUser and not hardcoded the preferredUser (see SpringSecurityAuditorAware).

For backward compatibly you may configure the provider as follows (including the benefit to have a fallback to the sub as the username if there is no such claim): spring.security.oauth2.client.provider.azure.user-name-attribute=preferred_username

Without these adjustments you may end up with "NULL" usernames at various places (e.g. Created by, Last modified by), which also breaks the UI.

mdaur avatar Nov 12 '21 10:11 mdaur

Can one of the admins verify this patch?

hawkbit-bot avatar Nov 12 '21 11:11 hawkbit-bot