thomseddon · mdusher · Nov 22, 2024 · Nov 22, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine as builder
+FROM golang:1.22-alpine as builder
 
 # Setup
 RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth

diff --git a/README.md b/README.md
@@ -116,7 +116,7 @@ You must set the `providers.google.client-id` and `providers.google.client-secre
 
 Any provider that supports OpenID Connect 1.0 can be configured via the OIDC config options below.
 
-You must set the `providers.oidc.issuer-url`, `providers.oidc.client-id` and `providers.oidc.client-secret` config options.
+You must set the `providers.oidc.issuer-url`, `providers.oidc.client-id` and `providers.oidc.client-secret` config options. `providers.oidc.use-preferred-username` is optional.
 
 Please see the [Provider Setup](https://github.com/thomseddon/traefik-forward-auth/wiki/Provider-Setup) wiki page for examples.
 
@@ -176,6 +176,7 @@ OIDC Provider:
   --providers.oidc.issuer-url=                          Issuer URL [$PROVIDERS_OIDC_ISSUER_URL]
   --providers.oidc.client-id=                           Client ID [$PROVIDERS_OIDC_CLIENT_ID]
   --providers.oidc.client-secret=                       Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
+  --providers.oidc.use-preferred-username               If available, use preferred_username attribute as username (otherwise email) [$PROVIDERS_OIDC_USE_PREFERRED_USERNAME]
   --providers.oidc.resource=                            Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
 
 Generic OAuth2 Provider:

diff --git a/go.mod b/go.mod
@@ -17,10 +17,8 @@ require (
 require (
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gravitational/trace v1.4.0 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/miekg/dns v1.1.59 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -32,11 +30,8 @@ require (
 	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/tools v0.21.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

diff --git a/go.sum b/go.sum
diff --git a/internal/provider/oidc.go b/internal/provider/oidc.go
@@ -10,9 +10,10 @@ import (
 
 // OIDC provider
 type OIDC struct {
-	IssuerURL    string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
-	ClientID     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
-	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	IssuerURL            string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
+	ClientID             string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
+	ClientSecret         string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	UsePreferredUsername bool   `long:"use-preferred-username" env:"USE_PREFERRED_USERNAME" description:"If available, use preferred_username attribute as username (otherwise email)"`
 
 	OAuthProvider
 
@@ -95,5 +96,9 @@ func (o *OIDC) GetUser(token string) (User, error) {
 		return user, err
 	}
 
+	if o.UsePreferredUsername && user.PreferredUsername != "" {
+		user.Email = user.PreferredUsername
+	}
+
 	return user, nil
 }
diff --git a/internal/provider/oidc_test.go b/internal/provider/oidc_test.go
@@ -127,6 +127,30 @@ func TestOIDCGetUser(t *testing.T) {
 	assert.Equal("example@example.com", user.Email)
 }
 
+func TestOIDCGetUserAsPreferredUsername(t *testing.T) {
+	assert := assert.New(t)
+
+	provider, server, serverURL, key := setupOIDCTest(t, nil)
+	defer server.Close()
+
+	// Generate JWT
+	token := key.sign(t, []byte(`{
+		"iss": "`+serverURL.String()+`",
+		"exp":`+strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10)+`,
+		"aud": "idtest",
+		"sub": "1",
+		"preferred_username": "example",
+		"email": "example@example.com",
+		"email_verified": true
+	}`))
+
+	// Get user
+	provider.UsePreferredUsername = true
+	user, err := provider.GetUser(token)
+	assert.Nil(err)
+	assert.Equal("example", user.Email)
+}
+
 // Utils
 
 // setOIDCTest creates a key, OIDCServer and initilises an OIDC provider

diff --git a/internal/provider/providers.go b/internal/provider/providers.go
@@ -29,7 +29,8 @@ type token struct {
 
 // User is the authenticated user
 type User struct {
-	Email string `json:"email"`
+	PreferredUsername string `json:"preferred_username"`
+	Email             string `json:"email"`
 }
 
 // OAuthProvider is a provider using the oauth2 library