feat: allow configurable username claim field in OIDC (#5507)

Co-authored-by: Colin Adler <colin1adler@gmail.com>
2025-07-08 11:39:50 +00:00 · 2023-01-04 22:16:31 +01:00
parent 8968a00035
commit de0601d611
11 changed files with 59 additions and 3 deletions
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@ -1975,6 +1975,9 @@ const docTemplate = `{
                },
                "scopes": {
                    "$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"
+                },
+                "username_field": {
+                    "$ref": "#/definitions/codersdk.DeploymentConfigField-string"
                }
            }
        },
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@ -1795,6 +1795,9 @@
        },
        "scopes": {
          "$ref": "#/definitions/codersdk.DeploymentConfigField-array_string"
+        },
+        "username_field": {
+          "$ref": "#/definitions/codersdk.DeploymentConfigField-string"
        }
      }
    },
--- a/coderd/coderdtest/coderdtest.go
+++ b/coderd/coderdtest/coderdtest.go
@ -880,6 +880,7 @@ func (o *OIDCConfig) OIDCConfig() *coderd.OIDCConfig {
 		}, &oidc.Config{
 			SkipClientIDCheck: true,
 		}),
+		UsernameField: "preferred_username",
 	}
 }

--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -198,6 +198,9 @@ type OIDCConfig struct {
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
 	IgnoreEmailVerified bool
+	// UsernameField selects the claim field to be used as the created user's
+	// username.
+	UsernameField string
 }

 func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
@ -236,7 +239,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	usernameRaw, ok := claims["preferred_username"]
+	usernameRaw, ok := claims[api.OIDCConfig.UsernameField]
 	var username string
 	if ok {
 		username, _ = usernameRaw.(string)