Allow customizing username when creating user through OIDC (#971)

* add ability to cutomize claim user for username generation on oidc login * update documentation with new OIDC options * oidc: also normalize custom claim as username * improve tests * improve docs * some more cleanup --------- Co-authored-by: Sascha Ißbrücker <sascha.issbruecker@gmail.com>
2025-08-14 05:59:29 +02:00 · 2025-01-30 03:40:52 +01:00
parent fc48b266a8
commit 2973812626
4 changed files with 93 additions and 9 deletions
--- a/bookmarks/tests/test_oidc_support.py
+++ b/bookmarks/tests/test_oidc_support.py
@@ -4,6 +4,8 @@ import os
 from django.test import TestCase, override_settings
 from django.urls import URLResolver

+from bookmarks import utils
+

 class OidcSupportTest(TestCase):
    def test_should_not_add_oidc_urls_by_default(self):
@@ -55,9 +57,83 @@ class OidcSupportTest(TestCase):
        base_settings = importlib.import_module("siteroot.settings.base")
        importlib.reload(base_settings)

-        self.assertEqual(
-            True,
-            base_settings.OIDC_VERIFY_SSL,
-        )
+        self.assertEqual(True, base_settings.OIDC_VERIFY_SSL)
+        self.assertEqual("openid email profile", base_settings.OIDC_RP_SCOPES)
+        self.assertEqual("email", base_settings.OIDC_USERNAME_CLAIM)

-        del os.environ["LD_ENABLE_OIDC"]
+        del os.environ["LD_ENABLE_OIDC"]  # Remove the temporary environment variable
+
+    @override_settings(LD_ENABLE_OIDC=True, OIDC_USERNAME_CLAIM="email")
+    def test_username_should_use_email_by_default(self):
+        claims = {
+            "email": "test@example.com",
+            "name": "test name",
+            "given_name": "test given name",
+            "preferred_username": "test preferred username",
+            "nickname": "test nickname",
+            "groups": [],
+        }
+
+        username = utils.generate_username(claims["email"], claims)
+
+        self.assertEqual(claims["email"], username)
+
+    @override_settings(LD_ENABLE_OIDC=True, OIDC_USERNAME_CLAIM="preferred_username")
+    def test_username_should_use_custom_claim(self):
+        claims = {
+            "email": "test@example.com",
+            "name": "test name",
+            "given_name": "test given name",
+            "preferred_username": "test preferred username",
+            "nickname": "test nickname",
+            "groups": [],
+        }
+
+        username = utils.generate_username(claims["email"], claims)
+
+        self.assertEqual(claims["preferred_username"], username)
+
+    @override_settings(LD_ENABLE_OIDC=True, OIDC_USERNAME_CLAIM="nonexistant_claim")
+    def test_username_should_fallback_to_email_for_non_existing_claim(self):
+        claims = {
+            "email": "test@example.com",
+            "name": "test name",
+            "given_name": "test given name",
+            "preferred_username": "test preferred username",
+            "nickname": "test nickname",
+            "groups": [],
+        }
+
+        username = utils.generate_username(claims["email"], claims)
+
+        self.assertEqual(claims["email"], username)
+
+    @override_settings(LD_ENABLE_OIDC=True, OIDC_USERNAME_CLAIM="preferred_username")
+    def test_username_should_fallback_to_email_for_empty_claim(self):
+        claims = {
+            "email": "test@example.com",
+            "name": "test name",
+            "given_name": "test given name",
+            "preferred_username": "",
+            "nickname": "test nickname",
+            "groups": [],
+        }
+
+        username = utils.generate_username(claims["email"], claims)
+
+        self.assertEqual(claims["email"], username)
+
+    @override_settings(LD_ENABLE_OIDC=True, OIDC_USERNAME_CLAIM="preferred_username")
+    def test_username_should_be_normalized(self):
+        claims = {
+            "email": "test@example.com",
+            "name": "test name",
+            "given_name": "test given name",
+            "preferred_username": "ＮｏｒｍａｌｉｚｅｄＵｓｅｒ",
+            "nickname": "test nickname",
+            "groups": [],
+        }
+
+        username = utils.generate_username(claims["email"], claims)
+
+        self.assertEqual("NormalizedUser", username)
--- a/bookmarks/utils.py
+++ b/bookmarks/utils.py
@@ -9,6 +9,7 @@ from dateutil.relativedelta import relativedelta
 from django.http import HttpResponseRedirect
 from django.template.defaultfilters import pluralize
 from django.utils import timezone, formats
+from django.conf import settings

 try:
    with open("version.txt", "r") as f:
@@ -128,10 +129,13 @@ def redirect_with_query(request, redirect_url):
    return HttpResponseRedirect(redirect_url)


-def generate_username(email):
+def generate_username(email, claims):
    # taken from mozilla-django-oidc docs :)
-
    # Using Python 3 and Django 1.11+, usernames can contain alphanumeric
    # (ascii and unicode), _, @, +, . and - characters. So we normalize
    # it and slice at 150 characters.
-    return unicodedata.normalize("NFKC", email)[:150]
+    if settings.OIDC_USERNAME_CLAIM in claims and claims[settings.OIDC_USERNAME_CLAIM]:
+        username = claims[settings.OIDC_USERNAME_CLAIM]
+    else:
+        username = email
+    return unicodedata.normalize("NFKC", username)[:150]