From a8e828e813db38eeb9e0cf588c3c0a744b87500c Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Wed, 18 May 2022 18:05:27 +0200
Subject: [PATCH 1/9] COR-475: map claims to specific keys

---
 cmd/devinit/main.go                           |   9 +-
 .../src/components/AuthenticatedApp.tsx       |   2 +-
 .../IdentityProviderEditor.tsx                | 104 ++++++++++++++++--
 .../core-authnz-frontend/src/types/types.ts   |  10 +-
 pkg/api/types/identity_provider.go            |  13 ++-
 .../action_performing_auth_code_exchange.go   |   4 +-
 pkg/server/login/store/identity_profile.go    |   7 ++
 pkg/store/identity_provider.go                |  79 ++++++++++---
 8 files changed, 195 insertions(+), 33 deletions(-)
 create mode 100644 pkg/server/login/store/identity_profile.go

diff --git a/cmd/devinit/main.go b/cmd/devinit/main.go
index ec1d85bd2..bf33ad0f4 100644
--- a/cmd/devinit/main.go
+++ b/cmd/devinit/main.go
@@ -322,6 +322,7 @@ func createIdentityProviders(factory store.Factory, err error, orgId string, env
 	if err != nil {
 		return err
 	}
+
 	idp := &types.IdentityProvider{
 		Name:           "Fake OIDC",
 		OrganizationID: orgId,
@@ -330,7 +331,13 @@ func createIdentityProviders(factory store.Factory, err error, orgId string, env
 		ClientSecret:   envCfg.idpClientSecret,
 		EmailDomain:    "nrc.no",
 		Scopes:         "openid profile offline_access",
-		ClaimMappings:  types.ClaimMappings{Mappings: nil, Version: "0"},
+		ClaimMappings:  types.ClaimMappings{Mappings: types.Mappings{
+			Subject:       "{{.Subject}}",
+			DisplayName:   "{{.DisplayName}}",
+			FullName:      "{{.FullName}}",
+			Email:         "{{.Email}}",
+			EmailVerified: "{{.EmailVerified}}",
+		}, Version: "0"},
 	}
 	if len(idps) == 0 {
 		_, err := idpStore.Create(context.Background(), idp, store.IdentityProviderCreateOptions{})
diff --git a/frontend/apps/core-authnz-frontend/src/components/AuthenticatedApp.tsx b/frontend/apps/core-authnz-frontend/src/components/AuthenticatedApp.tsx
index 38add189c..5fea3b32a 100644
--- a/frontend/apps/core-authnz-frontend/src/components/AuthenticatedApp.tsx
+++ b/frontend/apps/core-authnz-frontend/src/components/AuthenticatedApp.tsx
@@ -10,7 +10,7 @@ import { Clients } from './clients/Clients';
 
 const AuthenticatedApp: FC = () => {
   return (
-    <div className="d-flex flex-column vh-100 vw-100 bg-dark">
+    <div className="d-flex flex-column min-vh-100 vw-100 bg-dark">
       <NavBar />
       <Switch>
         <Route path="/organizations/add" component={OrganizationEditor} />
diff --git a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
index 438c62c0a..b21a3899a 100644
--- a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
+++ b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
@@ -18,7 +18,16 @@ type FormData = {
   organizationId: string;
   emailDomain: string;
   scopes: string;
-  claimMappings: { Version: string; Mappings: any };
+  claimMappings: {
+    version: string;
+    mappings: {
+      subject: string;
+      displayName: string;
+      fullName: string;
+      email: string;
+      emailVerified: string;
+    };
+  };
 };
 
 export const IdentityProviderEditor: FC<Props> = (props) => {
@@ -50,17 +59,32 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
     setValue('clientSecret', '');
     setValue('scopes', data.scopes);
     setValue(
-      'claimMappings.Mappings',
-      JSON.stringify(data.claimMappings.Mappings),
+      'claimMappings.mappings.subject',
+      JSON.stringify(data.claimMappings.mappings.subject),
+    );
+    setValue(
+      'claimMappings.mappings.displayName',
+      JSON.stringify(data.claimMappings.mappings.displayName),
+    );
+    setValue(
+      'claimMappings.mappings.fullName',
+      JSON.stringify(data.claimMappings.mappings.fullName),
+    );
+    setValue(
+      'claimMappings.mappings.email',
+      JSON.stringify(data.claimMappings.mappings.email),
+    );
+    setValue(
+      'claimMappings.mappings.emailVerified',
+      JSON.stringify(data.claimMappings.mappings.emailVerified),
     );
-    setVersion(data.claimMappings.Version);
+    setVersion(data.claimMappings.version);
   };
 
   useEffect(() => {
     if (id) {
       apiClient.getIdentityProvider({ id }).then((resp) => {
         if (resp.response) {
-          console.log('RESP', resp.response);
           setData(resp.response);
         }
       });
@@ -81,8 +105,16 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
         emailDomain: args.emailDomain,
         scopes: args.scopes,
         claimMappings: {
-          Version: newVersion,
-          Mappings: JSON.parse(args.claimMappings.Mappings),
+          version: newVersion,
+          mappings: {
+            subject: JSON.parse(args.claimMappings.mappings.subject),
+            displayName: JSON.parse(args.claimMappings.mappings.displayName),
+            fullName: JSON.parse(args.claimMappings.mappings.fullName),
+            email: JSON.parse(args.claimMappings.mappings.email),
+            emailVerified: JSON.parse(
+              args.claimMappings.mappings.emailVerified,
+            ),
+          },
         },
       };
       let resp;
@@ -192,17 +224,67 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
             {fieldErrors('scopes')}
           </div>
 
+          <h6 className="text-light">
+            Current Claim Mapping Version: {version}
+          </h6>
+
           <div className="form-group mb-2">
             <label className="form-label text-light">
-              Claim Mapping (Version: {version})
+              Subject Claim Mapping
             </label>
-            <textarea
-              {...register('claimMappings.Mappings', {
+            <input
+              {...register('claimMappings.mappings.subject', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('claimMappings.mappings.subject'),
+              )}
+            />
+            <label className="form-label text-light">
+              DisplayName Claim Mapping
+            </label>
+            <input
+              {...register('claimMappings.mappings.displayName', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('claimMappings.mappings.displayName'),
+              )}
+            />
+            <label className="form-label text-light">
+              FullName Claim Mapping
+            </label>
+            <input
+              {...register('claimMappings.mappings.fullName', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('claimMappings.mappings.fullName'),
+              )}
+            />
+            <label className="form-label text-light">Email Claim Mapping</label>
+            <input
+              {...register('claimMappings.mappings.email', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('claimMappings.mappings.email'),
+              )}
+            />
+            <label className="form-label text-light">
+              EmailVerified Claim Mapping
+            </label>
+            <input
+              {...register('claimMappings.mappings.emailVerified', {
                 required: true,
               })}
               className={classNames(
                 'form-control form-control-darkula',
-                fieldClasses('claimMappings.Mappings'),
+                fieldClasses('claimMappings.mappings.emailVerified'),
               )}
             />
           </div>
diff --git a/frontend/apps/core-authnz-frontend/src/types/types.ts b/frontend/apps/core-authnz-frontend/src/types/types.ts
index 9f93e2f31..8b590e938 100644
--- a/frontend/apps/core-authnz-frontend/src/types/types.ts
+++ b/frontend/apps/core-authnz-frontend/src/types/types.ts
@@ -104,8 +104,14 @@ export class IdentityProvider {
   public scopes = '';
 
   public claimMappings = {
-    Version: '0',
-    Mappings: {},
+    version: '0',
+    mappings: {
+      subject: '',
+      displayName: '',
+      fullName: '',
+      email: '',
+      emailVerified: '',
+    },
   };
 }
 
diff --git a/pkg/api/types/identity_provider.go b/pkg/api/types/identity_provider.go
index c02bc6580..25cc4b67a 100644
--- a/pkg/api/types/identity_provider.go
+++ b/pkg/api/types/identity_provider.go
@@ -25,10 +25,19 @@ type IdentityProvider struct {
 }
 
 type ClaimMappings struct {
-	Version  string            `json:"Version"`
-	Mappings map[string]string `json:"Mappings"`
+	Version  string   `json:"version"`
+	Mappings Mappings `json:"mappings"`
 }
 
+type Mappings struct {
+	Subject       string `json:"subject"`
+	DisplayName   string `json:"displayName"`
+	FullName      string `json:"fullName"`
+	Email         string `json:"email"`
+	EmailVerified string `json:"emailVerified"`
+}
+
+
 // IdentityProviderList represents a list of IdentityProvider
 type IdentityProviderList struct {
 	Items []*IdentityProvider `json:"items"`
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index 2aeb5fcb0..c34c0fa15 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/looplab/fsm"
+	"github.com/nrc-no/core/pkg/api/types"
 	"github.com/nrc-no/core/pkg/logging"
 	"github.com/nrc-no/core/pkg/server/login/authrequest"
 	"github.com/nrc-no/core/pkg/store"
@@ -64,7 +65,7 @@ func handlePerformingAuthCodeExchange(
 		}
 
 		l.Debug("verifying token")
-		processedToken, err := processOidcToken(req.Context(), tokenFromExchange, verifier)
+		processedToken, err := processOidcToken(req.Context(), tokenFromExchange, verifier, idp)
 		if err != nil {
 			l.Error("failed to verify token", zap.Error(err))
 			return err
@@ -106,6 +107,7 @@ func processOidcToken(
 	ctx context.Context,
 	token *oauth2.Token,
 	verifier *oidc.IDTokenVerifier,
+	idp *types.IdentityProvider,
 ) (*ProcessedToken, error) {
 
 	l := logging.NewLogger(ctx)
diff --git a/pkg/server/login/store/identity_profile.go b/pkg/server/login/store/identity_profile.go
new file mode 100644
index 000000000..4bfd6b934
--- /dev/null
+++ b/pkg/server/login/store/identity_profile.go
@@ -0,0 +1,7 @@
+package store
+
+type IdentityProfile struct {
+	ID                 string
+	IdentityProviderID string
+	Claims             map[string]string `json:"Claims"`
+}
diff --git a/pkg/store/identity_provider.go b/pkg/store/identity_provider.go
index c2b7ae594..005669eab 100644
--- a/pkg/store/identity_provider.go
+++ b/pkg/store/identity_provider.go
@@ -63,7 +63,15 @@ type IdentityProvider struct {
 
 type ClaimMappings struct {
 	Version  string
-	Mappings map[string]string
+	Mappings Mappings
+}
+
+type Mappings struct {
+	Subject       string
+	DisplayName   string
+	FullName      string
+	Email         string
+	EmailVerified string
 }
 
 func (c ClaimMappings) Value() (driver.Value, error) {
@@ -89,7 +97,7 @@ func (c *ClaimMappings) Scan(src interface{}) error {
 		return fmt.Errorf("failed to scan scan claims: value of type %T could not be converted to map[string]interface{}", i)
 	}
 
-	versionIntf, ok := m["Version"]
+	versionIntf, ok := m["version"]
 	if ok {
 		versionStr, ok := versionIntf.(string)
 		if !ok {
@@ -98,20 +106,49 @@ func (c *ClaimMappings) Scan(src interface{}) error {
 		c.Version = versionStr
 	}
 
-	claimMappingsInft, ok := m["Mappings"]
-
-	c.Mappings = map[string]string{}
+	claimMappingsInft, ok := m["mappings"]
 
 	if ok {
 		claimMapping, ok := claimMappingsInft.(map[string]interface{})
 		if ok {
+			subject, okS := claimMapping["subject"].(string)
+			if !okS {
+				return fmt.Errorf("claim mapping is not a string")
+			}
+			if okS {
+				c.Mappings.Subject = subject
+			}
+
+			displayName, okD := claimMapping["displayName"].(string)
+			if !okD {
+				return fmt.Errorf("claim mapping is not a string")
+			}
+			if okD {
+				c.Mappings.DisplayName = displayName
+			}
 
-			for key, elementIntf := range claimMapping {
-				claimStr, ok := elementIntf.(string)
-				if !ok {
-					return fmt.Errorf("claim mapping is not a string")
-				}
-				c.Mappings[key] = claimStr
+			fullName, okF := claimMapping["fullName"].(string)
+			if !okF {
+				return fmt.Errorf("claim mapping is not a string")
+			}
+			if okF {
+				c.Mappings.FullName = fullName
+			}
+
+			email, okE := claimMapping["email"].(string)
+			if !okE {
+				return fmt.Errorf("claim mapping is not a string")
+			}
+			if okE {
+				c.Mappings.Email = email
+			}
+
+			verified, okV := claimMapping["emailVerified"].(string)
+			if !okV {
+				return fmt.Errorf("claim mapping is not a string")
+			}
+			if okV {
+				c.Mappings.EmailVerified = verified
 			}
 		}
 	}
@@ -300,8 +337,14 @@ func mapIdentityProviderList(i IdentityProviders, keepClientSecrets bool) []*typ
 // mapIdentityProviderTo maps a store.IdentityProvider to a types.IdentityProvider
 func mapIdentityProviderTo(i *IdentityProvider, keepClientSecret bool) *types.IdentityProvider {
 	claimMappings := &types.ClaimMappings{
-		Version:  i.ClaimMappings.Version,
-		Mappings: i.ClaimMappings.Mappings,
+		Version: i.ClaimMappings.Version,
+		Mappings: types.Mappings{
+			Subject       : i.ClaimMappings.Mappings.Subject,
+			DisplayName   : i.ClaimMappings.Mappings.DisplayName,
+			FullName      : i.ClaimMappings.Mappings.FullName,
+			Email         : i.ClaimMappings.Mappings.Email,
+			EmailVerified : i.ClaimMappings.Mappings.EmailVerified,
+		},
 	}
 	result := &types.IdentityProvider{
 		ID:             i.ID,
@@ -322,8 +365,14 @@ func mapIdentityProviderTo(i *IdentityProvider, keepClientSecret bool) *types.Id
 // mapIdentityProviderFrom maps a types.IdentityProvider into a store.IdentityProvider
 func mapIdentityProviderFrom(i *types.IdentityProvider) *IdentityProvider {
 	claimMappings := &ClaimMappings{
-		Version:  i.ClaimMappings.Version,
-		Mappings: i.ClaimMappings.Mappings,
+		Version: i.ClaimMappings.Version,
+		Mappings: Mappings{
+			Subject       : i.ClaimMappings.Mappings.Subject,
+			DisplayName   : i.ClaimMappings.Mappings.DisplayName,
+			FullName      : i.ClaimMappings.Mappings.FullName,
+			Email         : i.ClaimMappings.Mappings.Email,
+			EmailVerified : i.ClaimMappings.Mappings.EmailVerified,
+		},
 	}
 	return &IdentityProvider{
 		ID:             i.ID,

From f3b3a2035eda55ac7ade5ace867b88d4aa26b147 Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Tue, 24 May 2022 09:29:42 +0200
Subject: [PATCH 2/9] COR-475: flatten claim mapping structure

---
 cmd/devinit/main.go                           |  14 +-
 .../IdentityProviderEditor.tsx                | 212 ++++++++++--------
 .../core-authnz-frontend/src/types/types.ts   |  12 +-
 pkg/api/types/identity_provider.go            |   6 +-
 .../action_performing_auth_code_exchange.go   |  29 ++-
 pkg/store/identity_provider.go                |  96 +-------
 6 files changed, 176 insertions(+), 193 deletions(-)

diff --git a/cmd/devinit/main.go b/cmd/devinit/main.go
index bf33ad0f4..0d4b418a6 100644
--- a/cmd/devinit/main.go
+++ b/cmd/devinit/main.go
@@ -331,13 +331,13 @@ func createIdentityProviders(factory store.Factory, err error, orgId string, env
 		ClientSecret:   envCfg.idpClientSecret,
 		EmailDomain:    "nrc.no",
 		Scopes:         "openid profile offline_access",
-		ClaimMappings:  types.ClaimMappings{Mappings: types.Mappings{
-			Subject:       "{{.Subject}}",
-			DisplayName:   "{{.DisplayName}}",
-			FullName:      "{{.FullName}}",
-			Email:         "{{.Email}}",
-			EmailVerified: "{{.EmailVerified}}",
-		}, Version: "0"},
+		ClaimMappings:  types.ClaimMappings{
+			Subject:       "sub",
+			DisplayName:   "displayName",
+			FullName:      "fullName",
+			Email:         "email",
+			EmailVerified: "emailVerified",
+			Version: "0"},
 	}
 	if len(idps) == 0 {
 		_, err := idpStore.Create(context.Background(), idp, store.IdentityProviderCreateOptions{})
diff --git a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
index b21a3899a..22c4251f0 100644
--- a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
+++ b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
@@ -20,13 +20,11 @@ type FormData = {
   scopes: string;
   claimMappings: {
     version: string;
-    mappings: {
-      subject: string;
-      displayName: string;
-      fullName: string;
-      email: string;
-      emailVerified: string;
-    };
+    subject: string;
+    displayName: string;
+    fullName: string;
+    email: string;
+    emailVerified: string;
   };
 };
 
@@ -59,24 +57,21 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
     setValue('clientSecret', '');
     setValue('scopes', data.scopes);
     setValue(
-      'claimMappings.mappings.subject',
-      JSON.stringify(data.claimMappings.mappings.subject),
+      'claimMappings.subject',
+      JSON.stringify(data.claimMappings.subject),
     );
     setValue(
-      'claimMappings.mappings.displayName',
-      JSON.stringify(data.claimMappings.mappings.displayName),
+      'claimMappings.displayName',
+      JSON.stringify(data.claimMappings.displayName),
     );
     setValue(
-      'claimMappings.mappings.fullName',
-      JSON.stringify(data.claimMappings.mappings.fullName),
+      'claimMappings.fullName',
+      JSON.stringify(data.claimMappings.fullName),
     );
+    setValue('claimMappings.email', JSON.stringify(data.claimMappings.email));
     setValue(
-      'claimMappings.mappings.email',
-      JSON.stringify(data.claimMappings.mappings.email),
-    );
-    setValue(
-      'claimMappings.mappings.emailVerified',
-      JSON.stringify(data.claimMappings.mappings.emailVerified),
+      'claimMappings.emailVerified',
+      JSON.stringify(data.claimMappings.emailVerified),
     );
     setVersion(data.claimMappings.version);
   };
@@ -106,15 +101,11 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
         scopes: args.scopes,
         claimMappings: {
           version: newVersion,
-          mappings: {
-            subject: JSON.parse(args.claimMappings.mappings.subject),
-            displayName: JSON.parse(args.claimMappings.mappings.displayName),
-            fullName: JSON.parse(args.claimMappings.mappings.fullName),
-            email: JSON.parse(args.claimMappings.mappings.email),
-            emailVerified: JSON.parse(
-              args.claimMappings.mappings.emailVerified,
-            ),
-          },
+          subject: JSON.parse(args.claimMappings.subject),
+          displayName: JSON.parse(args.claimMappings.displayName),
+          fullName: JSON.parse(args.claimMappings.fullName),
+          email: JSON.parse(args.claimMappings.email),
+          emailVerified: JSON.parse(args.claimMappings.emailVerified),
         },
       };
       let resp;
@@ -225,69 +216,114 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
           </div>
 
           <h6 className="text-light">
-            Current Claim Mapping Version: {version}
+            Claim Mapping, Current Version: {version}
           </h6>
 
-          <div className="form-group mb-2">
-            <label className="form-label text-light">
-              Subject Claim Mapping
-            </label>
-            <input
-              {...register('claimMappings.mappings.subject', {
-                required: true,
-              })}
-              className={classNames(
-                'form-control form-control-darkula',
-                fieldClasses('claimMappings.mappings.subject'),
-              )}
-            />
-            <label className="form-label text-light">
-              DisplayName Claim Mapping
-            </label>
-            <input
-              {...register('claimMappings.mappings.displayName', {
-                required: true,
-              })}
-              className={classNames(
-                'form-control form-control-darkula',
-                fieldClasses('claimMappings.mappings.displayName'),
-              )}
-            />
-            <label className="form-label text-light">
-              FullName Claim Mapping
-            </label>
-            <input
-              {...register('claimMappings.mappings.fullName', {
-                required: true,
-              })}
-              className={classNames(
-                'form-control form-control-darkula',
-                fieldClasses('claimMappings.mappings.fullName'),
-              )}
-            />
-            <label className="form-label text-light">Email Claim Mapping</label>
-            <input
-              {...register('claimMappings.mappings.email', {
-                required: true,
-              })}
-              className={classNames(
-                'form-control form-control-darkula',
-                fieldClasses('claimMappings.mappings.email'),
-              )}
-            />
-            <label className="form-label text-light">
-              EmailVerified Claim Mapping
-            </label>
-            <input
-              {...register('claimMappings.mappings.emailVerified', {
-                required: true,
-              })}
-              className={classNames(
-                'form-control form-control-darkula',
-                fieldClasses('claimMappings.mappings.emailVerified'),
-              )}
-            />
+          <div className="form-group row">
+            <div className="col-sm-2 text-light">
+              <label htmlFor="subject">Subject</label>
+            </div>
+            <div className="col-sm-10">
+              <input
+                {...register('claimMappings.subject', {
+                  required: true,
+                })}
+                id="subject"
+                className={classNames(
+                  'form-control form-control-darkula',
+                  fieldClasses('claimMappings.subject'),
+                )}
+              />
+              <small className="form-text text-muted">
+                Please use dot notation
+              </small>
+            </div>
+          </div>
+
+          <div className="form-group row">
+            <div className="col-sm-2 text-light">
+              <label htmlFor="displayName">Display Name</label>
+            </div>
+            <div className="col-sm-10">
+              <input
+                {...register('claimMappings.displayName', {
+                  required: true,
+                })}
+                id="displayName"
+                className={classNames(
+                  'form-control form-control-darkula',
+                  fieldClasses('claimMappings.displayName'),
+                )}
+              />
+              <small className="form-text text-muted">
+                Please use dot notation
+              </small>
+            </div>
+          </div>
+
+          <div className="form-group row">
+            <div className="col-sm-2 text-light">
+              <label htmlFor="fullName">Full Name</label>
+            </div>
+            <div className="col-sm-10">
+              <input
+                {...register('claimMappings.fullName', {
+                  required: true,
+                })}
+                id="fullName"
+                className={classNames(
+                  'form-control form-control-darkula',
+                  fieldClasses('claimMappings.fullName'),
+                )}
+              />
+              <small className="form-text text-muted">
+                Please use dot notation
+              </small>
+            </div>
           </div>
+
+          <div className="form-group row">
+            <div className="col-sm-2 text-light">
+              <label htmlFor="email">Email</label>
+            </div>
+            <div className="col-sm-10">
+              <input
+                {...register('claimMappings.email', {
+                  required: true,
+                })}
+                id="email"
+                className={classNames(
+                  'form-control form-control-darkula',
+                  fieldClasses('claimMappings.email'),
+                )}
+              />
+              <small className="form-text text-muted">
+                Please use dot notation
+              </small>
+            </div>
+          </div>
+
+          <div className="form-group row">
+            <div className="col-sm-2 text-light">
+              <label htmlFor="emailVerified">Email Verified</label>
+            </div>
+            <div className="col-sm-10">
+              <input
+                {...register('claimMappings.emailVerified', {
+                  required: true,
+                })}
+                id="emailVerified"
+                className={classNames(
+                  'form-control form-control-darkula',
+                  fieldClasses('claimMappings.emailVerified'),
+                )}
+              />
+              <small className="form-text text-muted">
+                Please use dot notation
+              </small>
+            </div>
+          </div>
+
           {fieldErrors('claimMappings')}
 
           <button disabled={isSubmitting} className="btn btn-success mt-2">
diff --git a/frontend/apps/core-authnz-frontend/src/types/types.ts b/frontend/apps/core-authnz-frontend/src/types/types.ts
index 8b590e938..e4f4f75ea 100644
--- a/frontend/apps/core-authnz-frontend/src/types/types.ts
+++ b/frontend/apps/core-authnz-frontend/src/types/types.ts
@@ -105,13 +105,11 @@ export class IdentityProvider {
 
   public claimMappings = {
     version: '0',
-    mappings: {
-      subject: '',
-      displayName: '',
-      fullName: '',
-      email: '',
-      emailVerified: '',
-    },
+    subject: '',
+    displayName: '',
+    fullName: '',
+    email: '',
+    emailVerified: '',
   };
 }
 
diff --git a/pkg/api/types/identity_provider.go b/pkg/api/types/identity_provider.go
index 25cc4b67a..34a4491b1 100644
--- a/pkg/api/types/identity_provider.go
+++ b/pkg/api/types/identity_provider.go
@@ -25,11 +25,7 @@ type IdentityProvider struct {
 }
 
 type ClaimMappings struct {
-	Version  string   `json:"version"`
-	Mappings Mappings `json:"mappings"`
-}
-
-type Mappings struct {
+	Version       string `json:"version"`
 	Subject       string `json:"subject"`
 	DisplayName   string `json:"displayName"`
 	FullName      string `json:"fullName"`
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index c34c0fa15..9a88a7fbd 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -136,11 +136,36 @@ func processOidcToken(
 	}
 
 	// unmarshal claims
-	var userProfile authrequest.Claims
-	if err := idToken.Claims(&userProfile); err != nil {
+	var a interface{}
+	var b map[string]interface{}
+	if err := idToken.Claims(&a); err != nil {
 		l.Error("failed to unmarshal claims from ID token", zap.Error(err))
 		return nil, err
 	}
+	var userProfile authrequest.Claims
+
+	b, ok = a.(map[string]interface{})
+
+	subject, ok := b[idp.ClaimMappings.Subject].(string)
+	if ok {
+		userProfile.Subject = subject
+	}
+	displayName, ok := b[idp.ClaimMappings.DisplayName].(string)
+	if ok {
+		userProfile.DisplayName = displayName
+	}
+	fullName, ok := b[idp.ClaimMappings.FullName].(string)
+	if ok {
+		userProfile.FullName = fullName
+	}
+	email, ok := b[idp.ClaimMappings.Email].(string)
+	if ok {
+		userProfile.Email = email
+	}
+	emailVerified, ok := b[idp.ClaimMappings.EmailVerified].(bool)
+	if ok {
+		userProfile.EmailVerified = emailVerified
+	}
 
 	result := &ProcessedToken{
 		OriginalToken: token,
diff --git a/pkg/store/identity_provider.go b/pkg/store/identity_provider.go
index 005669eab..2b6a78efb 100644
--- a/pkg/store/identity_provider.go
+++ b/pkg/store/identity_provider.go
@@ -62,11 +62,7 @@ type IdentityProvider struct {
 }
 
 type ClaimMappings struct {
-	Version  string
-	Mappings Mappings
-}
-
-type Mappings struct {
+	Version       string
 	Subject       string
 	DisplayName   string
 	FullName      string
@@ -85,74 +81,10 @@ func (c *ClaimMappings) Scan(src interface{}) error {
 		return fmt.Errorf("failed to scan scan claims: value of type %T could not be converted to []byte", src)
 	}
 
-	var i interface{}
-	err := json.Unmarshal(source, &i)
+	err := json.Unmarshal(source, &c)
 	if err != nil {
 		return err
 	}
-
-	m, ok := i.(map[string]interface{})
-
-	if !ok {
-		return fmt.Errorf("failed to scan scan claims: value of type %T could not be converted to map[string]interface{}", i)
-	}
-
-	versionIntf, ok := m["version"]
-	if ok {
-		versionStr, ok := versionIntf.(string)
-		if !ok {
-			return fmt.Errorf("version is not a string")
-		}
-		c.Version = versionStr
-	}
-
-	claimMappingsInft, ok := m["mappings"]
-
-	if ok {
-		claimMapping, ok := claimMappingsInft.(map[string]interface{})
-		if ok {
-			subject, okS := claimMapping["subject"].(string)
-			if !okS {
-				return fmt.Errorf("claim mapping is not a string")
-			}
-			if okS {
-				c.Mappings.Subject = subject
-			}
-
-			displayName, okD := claimMapping["displayName"].(string)
-			if !okD {
-				return fmt.Errorf("claim mapping is not a string")
-			}
-			if okD {
-				c.Mappings.DisplayName = displayName
-			}
-
-			fullName, okF := claimMapping["fullName"].(string)
-			if !okF {
-				return fmt.Errorf("claim mapping is not a string")
-			}
-			if okF {
-				c.Mappings.FullName = fullName
-			}
-
-			email, okE := claimMapping["email"].(string)
-			if !okE {
-				return fmt.Errorf("claim mapping is not a string")
-			}
-			if okE {
-				c.Mappings.Email = email
-			}
-
-			verified, okV := claimMapping["emailVerified"].(string)
-			if !okV {
-				return fmt.Errorf("claim mapping is not a string")
-			}
-			if okV {
-				c.Mappings.EmailVerified = verified
-			}
-		}
-	}
-
 	return nil
 }
 
@@ -338,13 +270,11 @@ func mapIdentityProviderList(i IdentityProviders, keepClientSecrets bool) []*typ
 func mapIdentityProviderTo(i *IdentityProvider, keepClientSecret bool) *types.IdentityProvider {
 	claimMappings := &types.ClaimMappings{
 		Version: i.ClaimMappings.Version,
-		Mappings: types.Mappings{
-			Subject       : i.ClaimMappings.Mappings.Subject,
-			DisplayName   : i.ClaimMappings.Mappings.DisplayName,
-			FullName      : i.ClaimMappings.Mappings.FullName,
-			Email         : i.ClaimMappings.Mappings.Email,
-			EmailVerified : i.ClaimMappings.Mappings.EmailVerified,
-		},
+		Subject       : i.ClaimMappings.Subject,
+		DisplayName   : i.ClaimMappings.DisplayName,
+		FullName      : i.ClaimMappings.FullName,
+		Email         : i.ClaimMappings.Email,
+		EmailVerified : i.ClaimMappings.EmailVerified,
 	}
 	result := &types.IdentityProvider{
 		ID:             i.ID,
@@ -366,13 +296,11 @@ func mapIdentityProviderTo(i *IdentityProvider, keepClientSecret bool) *types.Id
 func mapIdentityProviderFrom(i *types.IdentityProvider) *IdentityProvider {
 	claimMappings := &ClaimMappings{
 		Version: i.ClaimMappings.Version,
-		Mappings: Mappings{
-			Subject       : i.ClaimMappings.Mappings.Subject,
-			DisplayName   : i.ClaimMappings.Mappings.DisplayName,
-			FullName      : i.ClaimMappings.Mappings.FullName,
-			Email         : i.ClaimMappings.Mappings.Email,
-			EmailVerified : i.ClaimMappings.Mappings.EmailVerified,
-		},
+		Subject       : i.ClaimMappings.Subject,
+		DisplayName   : i.ClaimMappings.DisplayName,
+		FullName      : i.ClaimMappings.FullName,
+		Email         : i.ClaimMappings.Email,
+		EmailVerified : i.ClaimMappings.EmailVerified,
 	}
 	return &IdentityProvider{
 		ID:             i.ID,

From 8aca64de3470a72f5533991509a102a5ceb9df5c Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Tue, 24 May 2022 11:50:06 +0200
Subject: [PATCH 3/9] COR-475: store claims in profile table

---
 .../action_auth_code_exchange_succeeded.go      | 17 ++++++++++++++++-
 pkg/server/login/store/identity_profile.go      |  6 +++++-
 pkg/server/login/store/interface.go             | 17 +++++++++++++++++
 pkg/server/login/store/migrate.go               |  3 ++-
 pkg/store/migrate.go                            |  4 +++-
 5 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go b/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
index 6eb36baf9..0068c10da 100644
--- a/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
+++ b/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
@@ -45,8 +45,23 @@ func handleAuthCodeExchangeSucceeded(
 					return err
 				}
 				identifier = newIdentity.Credentials[0].Identifiers[0]
+
+				newIdentityProfile := store2.IdentityProfile{
+					ID:    newIdentity.ID,
+					IdentityProviderID: idp.ID,
+					Subject:       authRequest.Claims.Subject,
+					DisplayName:   authRequest.Claims.DisplayName,
+					FullName:      authRequest.Claims.FullName,
+					Email:         authRequest.Claims.Email,
+					EmailVerified: authRequest.Claims.EmailVerified,
+				}
+
+				err2 := loginStore.CreateOidcIdentityProfile(newIdentityProfile)
+				if err2 != nil {
+					l.Error("failed to store identity profile", zap.Error(err2))
+				}
+
 			} else {
-				l.Error("failed to get user identifier for oidc provider", zap.Error(err))
 				return err
 			}
 		}
diff --git a/pkg/server/login/store/identity_profile.go b/pkg/server/login/store/identity_profile.go
index 4bfd6b934..9fd894441 100644
--- a/pkg/server/login/store/identity_profile.go
+++ b/pkg/server/login/store/identity_profile.go
@@ -3,5 +3,9 @@ package store
 type IdentityProfile struct {
 	ID                 string
 	IdentityProviderID string
-	Claims             map[string]string `json:"Claims"`
+	Subject            string
+	DisplayName        string
+	FullName           string
+	Email              string
+	EmailVerified      bool
 }
diff --git a/pkg/server/login/store/interface.go b/pkg/server/login/store/interface.go
index dd99d84b5..b28012b60 100644
--- a/pkg/server/login/store/interface.go
+++ b/pkg/server/login/store/interface.go
@@ -17,6 +17,7 @@ type Interface interface {
 	GetIdentity(ctx context.Context, id string) (*Identity, error)
 	FindOidcIdentifier(identifier string, identityProviderId string) (*CredentialIdentifier, error)
 	CreateOidcIdentity(issuer string, identifier string, initialAccessToken string, initialRefreshToken string, initialIdToken string) (*Identity, error)
+	CreateOidcIdentityProfile(profile IdentityProfile) error
 }
 
 type loginStore struct {
@@ -138,6 +139,22 @@ func (l *loginStore) CreateOidcIdentity(
 
 }
 
+func (l *loginStore) CreateOidcIdentityProfile(
+	profile IdentityProfile,
+) error {
+
+	db, err := l.db.Get()
+	if err != nil {
+		return err
+	}
+
+	if err := db.Create(&profile).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (l *loginStore) FindOidcIdentifier(
 	identifier string,
 	issuer string,
diff --git a/pkg/server/login/store/migrate.go b/pkg/server/login/store/migrate.go
index f51d266ed..566797500 100644
--- a/pkg/server/login/store/migrate.go
+++ b/pkg/server/login/store/migrate.go
@@ -6,5 +6,6 @@ func Migrate(db *gorm.DB) error {
 	return db.AutoMigrate(
 		&Credential{},
 		&Identity{},
-		&CredentialIdentifier{})
+		&CredentialIdentifier{},
+		&IdentityProfile{})
 }
diff --git a/pkg/store/migrate.go b/pkg/store/migrate.go
index 4d86c40e0..03059fe41 100644
--- a/pkg/store/migrate.go
+++ b/pkg/store/migrate.go
@@ -1,6 +1,8 @@
 package store
 
-import "gorm.io/gorm"
+import (
+	"gorm.io/gorm"
+)
 
 func Migrate(db *gorm.DB) error {
 	return db.AutoMigrate(

From fb49a7de1f7a04ce56edc6cdb4592d2ba496d835 Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Tue, 24 May 2022 11:56:01 +0200
Subject: [PATCH 4/9] COR-475: renaming

---
 .../action_performing_auth_code_exchange.go    | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index 9a88a7fbd..ba6aa2c3f 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -136,33 +136,33 @@ func processOidcToken(
 	}
 
 	// unmarshal claims
-	var a interface{}
-	var b map[string]interface{}
-	if err := idToken.Claims(&a); err != nil {
+	var claimInft interface{}
+	if err := idToken.Claims(&claimInft); err != nil {
 		l.Error("failed to unmarshal claims from ID token", zap.Error(err))
 		return nil, err
 	}
 	var userProfile authrequest.Claims
 
-	b, ok = a.(map[string]interface{})
+	var mappedClaimInft map[string]interface{}
+	mappedClaimInft, ok = claimInft.(map[string]interface{})
 
-	subject, ok := b[idp.ClaimMappings.Subject].(string)
+	subject, ok := mappedClaimInft[idp.ClaimMappings.Subject].(string)
 	if ok {
 		userProfile.Subject = subject
 	}
-	displayName, ok := b[idp.ClaimMappings.DisplayName].(string)
+	displayName, ok := mappedClaimInft[idp.ClaimMappings.DisplayName].(string)
 	if ok {
 		userProfile.DisplayName = displayName
 	}
-	fullName, ok := b[idp.ClaimMappings.FullName].(string)
+	fullName, ok := mappedClaimInft[idp.ClaimMappings.FullName].(string)
 	if ok {
 		userProfile.FullName = fullName
 	}
-	email, ok := b[idp.ClaimMappings.Email].(string)
+	email, ok := mappedClaimInft[idp.ClaimMappings.Email].(string)
 	if ok {
 		userProfile.Email = email
 	}
-	emailVerified, ok := b[idp.ClaimMappings.EmailVerified].(bool)
+	emailVerified, ok := mappedClaimInft[idp.ClaimMappings.EmailVerified].(bool)
 	if ok {
 		userProfile.EmailVerified = emailVerified
 	}

From 215e62c0ac5a6c954e9fdddd06da2ef3e99f620e Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Tue, 24 May 2022 11:58:59 +0200
Subject: [PATCH 5/9] COR-475: skip unnecessary parsing

---
 .../IdentityProviderEditor.tsx                | 32 ++++++-------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
index 22c4251f0..e04216fe6 100644
--- a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
+++ b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
@@ -56,23 +56,11 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
     setValue('emailDomain', data.emailDomain);
     setValue('clientSecret', '');
     setValue('scopes', data.scopes);
-    setValue(
-      'claimMappings.subject',
-      JSON.stringify(data.claimMappings.subject),
-    );
-    setValue(
-      'claimMappings.displayName',
-      JSON.stringify(data.claimMappings.displayName),
-    );
-    setValue(
-      'claimMappings.fullName',
-      JSON.stringify(data.claimMappings.fullName),
-    );
-    setValue('claimMappings.email', JSON.stringify(data.claimMappings.email));
-    setValue(
-      'claimMappings.emailVerified',
-      JSON.stringify(data.claimMappings.emailVerified),
-    );
+    setValue('claimMappings.subject', data.claimMappings.subject);
+    setValue('claimMappings.displayName', data.claimMappings.displayName);
+    setValue('claimMappings.fullName', data.claimMappings.fullName);
+    setValue('claimMappings.email', data.claimMappings.email);
+    setValue('claimMappings.emailVerified', data.claimMappings.emailVerified);
     setVersion(data.claimMappings.version);
   };
 
@@ -101,11 +89,11 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
         scopes: args.scopes,
         claimMappings: {
           version: newVersion,
-          subject: JSON.parse(args.claimMappings.subject),
-          displayName: JSON.parse(args.claimMappings.displayName),
-          fullName: JSON.parse(args.claimMappings.fullName),
-          email: JSON.parse(args.claimMappings.email),
-          emailVerified: JSON.parse(args.claimMappings.emailVerified),
+          subject: args.claimMappings.subject,
+          displayName: args.claimMappings.displayName,
+          fullName: args.claimMappings.fullName,
+          email: args.claimMappings.email,
+          emailVerified: args.claimMappings.emailVerified,
         },
       };
       let resp;

From 8378611a32e87ac73089fbae8165bd3255b4f6cf Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Thu, 2 Jun 2022 11:51:32 +0200
Subject: [PATCH 6/9] COR-475: PR comments

---
 .../action_auth_code_exchange_succeeded.go    | 10 +++--
 .../action_performing_auth_code_exchange.go   | 43 +++++++++++++------
 pkg/server/login/store/interface.go           | 14 ++++--
 3 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go b/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
index 0068c10da..6473e453a 100644
--- a/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
+++ b/pkg/server/login/handlers/login/action_auth_code_exchange_succeeded.go
@@ -30,11 +30,12 @@ func handleAuthCodeExchangeSucceeded(
 		}
 
 		l.Debug("finding user identifier for oidc provider", zap.String("subject", authRequest.Claims.Subject), zap.String("domain", idp.Domain))
-		identifier, err := loginStore.FindOidcIdentifier(authRequest.Claims.Subject, idp.Domain)
+		identifier, err := loginStore.FindOidcIdentifier(ctx, authRequest.Claims.Subject, idp.Domain)
 		if err != nil {
 			if meta.ReasonForError(err) == meta.StatusReasonNotFound {
 				l.Info("user identifier not found. creating new identity")
 				newIdentity, err := loginStore.CreateOidcIdentity(
+					ctx,
 					idp.Domain,
 					authRequest.Claims.Subject,
 					authRequest.AccessToken,
@@ -56,12 +57,13 @@ func handleAuthCodeExchangeSucceeded(
 					EmailVerified: authRequest.Claims.EmailVerified,
 				}
 
-				err2 := loginStore.CreateOidcIdentityProfile(newIdentityProfile)
-				if err2 != nil {
-					l.Error("failed to store identity profile", zap.Error(err2))
+				if err := loginStore.CreateOidcIdentityProfile(ctx, newIdentityProfile); err != nil {
+					l.Error("failed to store identity profile", zap.Error(err))
+					return err
 				}
 
 			} else {
+				l.Error("failed to get user identifier for oidc provider", zap.Error(err))
 				return err
 			}
 		}
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index ba6aa2c3f..4f4642e3a 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -135,16 +135,41 @@ func processOidcToken(
 		return nil, err
 	}
 
-	// unmarshal claims
+	userProfile, err := extractIdentityProfile(ctx, idToken, idp)
+
+	result := &ProcessedToken{
+		OriginalToken: token,
+		RawIDToken:    rawIDToken,
+		AccessToken:   token.AccessToken,
+		RefreshToken:  token.RefreshToken,
+		IDToken:       idToken,
+		Claims:        userProfile,
+	}
+
+	return result, nil
+}
+
+
+func extractIdentityProfile(
+	ctx context.Context,
+	idToken *oidc.IDToken,
+	idp *types.IdentityProvider,
+) (*authrequest.Claims, error){
+
+	l := logging.NewLogger(ctx)
+
 	var claimInft interface{}
 	if err := idToken.Claims(&claimInft); err != nil {
 		l.Error("failed to unmarshal claims from ID token", zap.Error(err))
 		return nil, err
 	}
+
 	var userProfile authrequest.Claims
 
-	var mappedClaimInft map[string]interface{}
-	mappedClaimInft, ok = claimInft.(map[string]interface{})
+	mappedClaimInft, ok := claimInft.(map[string]interface{})
+	if !ok {
+		l.Error("failed to cast claims into type map[string]interface{}")
+	}
 
 	subject, ok := mappedClaimInft[idp.ClaimMappings.Subject].(string)
 	if ok {
@@ -166,15 +191,5 @@ func processOidcToken(
 	if ok {
 		userProfile.EmailVerified = emailVerified
 	}
-
-	result := &ProcessedToken{
-		OriginalToken: token,
-		RawIDToken:    rawIDToken,
-		AccessToken:   token.AccessToken,
-		RefreshToken:  token.RefreshToken,
-		IDToken:       idToken,
-		Claims:        &userProfile,
-	}
-
-	return result, nil
+	return &userProfile, nil
 }
diff --git a/pkg/server/login/store/interface.go b/pkg/server/login/store/interface.go
index b28012b60..7bdff5a91 100644
--- a/pkg/server/login/store/interface.go
+++ b/pkg/server/login/store/interface.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"errors"
 	"github.com/nrc-no/core/pkg/api/meta"
+	"github.com/nrc-no/core/pkg/logging"
 	"github.com/nrc-no/core/pkg/store"
 	"github.com/nrc-no/core/pkg/utils/pointers"
 	uuid "github.com/satori/go.uuid"
+	"go.uber.org/zap"
 	"gorm.io/gorm"
 )
 
@@ -15,9 +17,9 @@ type Interface interface {
 	CreateAuthRequest(ctx context.Context, authRequest *AuthRequest) (*AuthRequest, error)
 	UpdateAuthRequest(ctx context.Context, authRequest *AuthRequest) (*AuthRequest, error)
 	GetIdentity(ctx context.Context, id string) (*Identity, error)
-	FindOidcIdentifier(identifier string, identityProviderId string) (*CredentialIdentifier, error)
-	CreateOidcIdentity(issuer string, identifier string, initialAccessToken string, initialRefreshToken string, initialIdToken string) (*Identity, error)
-	CreateOidcIdentityProfile(profile IdentityProfile) error
+	FindOidcIdentifier(ctx context.Context, identifier string, identityProviderId string) (*CredentialIdentifier, error)
+	CreateOidcIdentity(ctx context.Context, issuer string, identifier string, initialAccessToken string, initialRefreshToken string, initialIdToken string) (*Identity, error)
+	CreateOidcIdentityProfile(ctx context.Context, profile IdentityProfile) error
 }
 
 type loginStore struct {
@@ -93,6 +95,7 @@ func (l *loginStore) GetIdentity(ctx context.Context, id string) (*Identity, err
 }
 
 func (l *loginStore) CreateOidcIdentity(
+	ctx context.Context,
 	issuer string,
 	identifier string,
 	initialAccessToken string,
@@ -140,15 +143,19 @@ func (l *loginStore) CreateOidcIdentity(
 }
 
 func (l *loginStore) CreateOidcIdentityProfile(
+	ctx context.Context,
 	profile IdentityProfile,
 ) error {
+	logger := logging.NewLogger(ctx)
 
 	db, err := l.db.Get()
 	if err != nil {
+		logger.Error("failed to create database connection", zap.Error(err))
 		return err
 	}
 
 	if err := db.Create(&profile).Error; err != nil {
+		logger.Error("failed to create IdentityProfile in database", zap.Error(err))
 		return err
 	}
 
@@ -156,6 +163,7 @@ func (l *loginStore) CreateOidcIdentityProfile(
 }
 
 func (l *loginStore) FindOidcIdentifier(
+	ctx context.Context,
 	identifier string,
 	issuer string,
 ) (*CredentialIdentifier, error) {

From f787f336040bd49113af266bc5193c4b5b625b64 Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Fri, 3 Jun 2022 11:26:39 +0200
Subject: [PATCH 7/9] COR-475: tests

---
 .../action_performing_auth_code_exchange.go   | 18 ++---
 ...tion_performing_auth_code_exchange_test.go | 68 +++++++++++++++++++
 pkg/server/login/store/interface_test.go      | 14 ++--
 3 files changed, 88 insertions(+), 12 deletions(-)
 create mode 100644 pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go

diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index 4f4642e3a..5d9a52ee8 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -135,7 +135,14 @@ func processOidcToken(
 		return nil, err
 	}
 
-	userProfile, err := extractIdentityProfile(ctx, idToken, idp)
+
+	var claimInft interface{}
+	if err := idToken.Claims(&claimInft); err != nil {
+		l.Error("failed to unmarshal claims from ID token", zap.Error(err))
+		return nil, err
+	}
+
+	userProfile, err := extractIdentityProfile(ctx, claimInft, idp)
 
 	result := &ProcessedToken{
 		OriginalToken: token,
@@ -152,23 +159,18 @@ func processOidcToken(
 
 func extractIdentityProfile(
 	ctx context.Context,
-	idToken *oidc.IDToken,
+	claimInft interface{},
 	idp *types.IdentityProvider,
 ) (*authrequest.Claims, error){
 
 	l := logging.NewLogger(ctx)
 
-	var claimInft interface{}
-	if err := idToken.Claims(&claimInft); err != nil {
-		l.Error("failed to unmarshal claims from ID token", zap.Error(err))
-		return nil, err
-	}
-
 	var userProfile authrequest.Claims
 
 	mappedClaimInft, ok := claimInft.(map[string]interface{})
 	if !ok {
 		l.Error("failed to cast claims into type map[string]interface{}")
+		return nil, errors.New("failed to cast claims into type map[string]interface{}")
 	}
 
 	subject, ok := mappedClaimInft[idp.ClaimMappings.Subject].(string)
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
new file mode 100644
index 000000000..f2ee8e980
--- /dev/null
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
@@ -0,0 +1,68 @@
+package login
+
+import (
+	"context"
+	"github.com/nrc-no/core/pkg/api/types"
+	"github.com/nrc-no/core/pkg/server/login/authrequest"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+var idp = types.IdentityProvider{
+	ID: "id",
+	Name: "name",
+	OrganizationID: "organizationId",
+	Domain: "domain",
+	ClientID: "clientId",
+	ClientSecret: "secret",
+	EmailDomain: "emailDomain",
+	Scopes: "scope1 scope2",
+	ClaimMappings: types.ClaimMappings{
+		Version       : "VersionFieldName",
+		Subject       : "SubjectFieldName",
+		DisplayName   : "DisplayNameFieldName",
+		FullName      : "FullNameFieldName",
+		Email         : "EmailFieldName",
+		EmailVerified : "EmailVerifiedFieldName",
+	},
+}
+
+
+func TestExtractIdentityProfile(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	tests := []struct {
+		name          string
+		claims        interface{}
+		expect        authrequest.Claims
+	}{
+		{
+			name: "maps correctly",
+			claims: map[string]interface{}{
+				"SubjectFieldName": "subjectValue",
+				"DisplayNameFieldName": "displayNameValue",
+				"FullNameFieldName": "fullNameValue",
+				"EmailFieldName": "emailValue",
+				"EmailVerifiedFieldName": true,
+			},
+			expect: authrequest.Claims{
+				Subject: "subjectValue",
+				DisplayName: "displayNameValue",
+				FullName: "fullNameValue",
+				Email: "emailValue",
+				EmailVerified: true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := extractIdentityProfile(ctx, tt.claims, &idp)
+
+			if !assert.NoError(t, err) {
+				return
+			}
+			assert.Equal(t, tt.expect, *got)
+		})
+	}
+}
diff --git a/pkg/server/login/store/interface_test.go b/pkg/server/login/store/interface_test.go
index 6a6059060..83164b3d8 100644
--- a/pkg/server/login/store/interface_test.go
+++ b/pkg/server/login/store/interface_test.go
@@ -1,6 +1,7 @@
 package store
 
 import (
+	"context"
 	"github.com/nrc-no/core/pkg/mocks"
 	"github.com/nrc-no/core/pkg/store"
 	"github.com/nrc-no/core/pkg/utils/pointers"
@@ -76,10 +77,11 @@ var identity3 = Identity{
 }
 
 func TestFindOidcIdentifier(t *testing.T) {
-
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 	s, _ := getStore(t)
 
-	id, err := s.FindOidcIdentifier("identifier-one", "provider1")
+	id, err := s.FindOidcIdentifier(ctx, "identifier-one", "provider1")
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -95,8 +97,10 @@ func TestFindOidcIdentifier(t *testing.T) {
 }
 
 func TestFindOidcIdentifierWhenUserHasMany(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 	s, _ := getStore(t)
-	id, err := s.FindOidcIdentifier("identifier-two-b", "provider2")
+	id, err := s.FindOidcIdentifier(ctx, "identifier-two-b", "provider2")
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -104,8 +108,10 @@ func TestFindOidcIdentifierWhenUserHasMany(t *testing.T) {
 }
 
 func TestFindOidcIdentifierWhenUserHasMultipleProviders(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 	s, _ := getStore(t)
-	id, err := s.FindOidcIdentifier("identifier-three-b", "provider3b")
+	id, err := s.FindOidcIdentifier(ctx, "identifier-three-b", "provider3b")
 	if !assert.NoError(t, err) {
 		return
 	}

From 162b9ca4b639f94dd7cd90a96ca4a41a042a7694 Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Fri, 3 Jun 2022 13:58:59 +0200
Subject: [PATCH 8/9] COR-475: use go templates

---
 cmd/devinit/main.go                           | 10 +--
 .../IdentityProviderEditor.tsx                | 37 ++++-----
 .../action_performing_auth_code_exchange.go   | 79 ++++++++++++++----
 ...tion_performing_auth_code_exchange_test.go | 83 ++++++++++++++++---
 4 files changed, 155 insertions(+), 54 deletions(-)

diff --git a/cmd/devinit/main.go b/cmd/devinit/main.go
index 0d4b418a6..c55feedd6 100644
--- a/cmd/devinit/main.go
+++ b/cmd/devinit/main.go
@@ -332,11 +332,11 @@ func createIdentityProviders(factory store.Factory, err error, orgId string, env
 		EmailDomain:    "nrc.no",
 		Scopes:         "openid profile offline_access",
 		ClaimMappings:  types.ClaimMappings{
-			Subject:       "sub",
-			DisplayName:   "displayName",
-			FullName:      "fullName",
-			Email:         "email",
-			EmailVerified: "emailVerified",
+			Subject:       "{{.sub}}",
+			DisplayName:   "{{.displayName}}",
+			FullName:      "{{.fullName}}",
+			Email:         "{{.email}}",
+			EmailVerified: "{{.emailVerified}}",
 			Version: "0"},
 	}
 	if len(idps) == 0 {
diff --git a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
index e04216fe6..bcc67d259 100644
--- a/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
+++ b/frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx
@@ -203,11 +203,21 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
             {fieldErrors('scopes')}
           </div>
 
-          <h6 className="text-light">
+          <h6 className="text-light mt-5">
             Claim Mapping, Current Version: {version}
           </h6>
+          <p className="form-text text-muted mb-4">
+            Please use go template syntax:
+            <a
+              href="https://blog.gopheracademy.com/advent-2017/using-go-templates/"
+              target="_blank"
+              rel="noreferrer"
+            >
+              Examples
+            </a>
+          </p>
 
-          <div className="form-group row">
+          <div className="form-group row mb-3">
             <div className="col-sm-2 text-light">
               <label htmlFor="subject">Subject</label>
             </div>
@@ -222,13 +232,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                   fieldClasses('claimMappings.subject'),
                 )}
               />
-              <small className="form-text text-muted">
-                Please use dot notation
-              </small>
             </div>
           </div>
 
-          <div className="form-group row">
+          <div className="form-group row mb-3">
             <div className="col-sm-2 text-light">
               <label htmlFor="displayName">Display Name</label>
             </div>
@@ -243,13 +250,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                   fieldClasses('claimMappings.displayName'),
                 )}
               />
-              <small className="form-text text-muted">
-                Please use dot notation
-              </small>
             </div>
           </div>
 
-          <div className="form-group row">
+          <div className="form-group row mb-3">
             <div className="col-sm-2 text-light">
               <label htmlFor="fullName">Full Name</label>
             </div>
@@ -264,13 +268,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                   fieldClasses('claimMappings.fullName'),
                 )}
               />
-              <small className="form-text text-muted">
-                Please use dot notation
-              </small>
             </div>
           </div>
 
-          <div className="form-group row">
+          <div className="form-group row mb-3">
             <div className="col-sm-2 text-light">
               <label htmlFor="email">Email</label>
             </div>
@@ -285,13 +286,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                   fieldClasses('claimMappings.email'),
                 )}
               />
-              <small className="form-text text-muted">
-                Please use dot notation
-              </small>
             </div>
           </div>
 
-          <div className="form-group row">
+          <div className="form-group row mb-3">
             <div className="col-sm-2 text-light">
               <label htmlFor="emailVerified">Email Verified</label>
             </div>
@@ -306,9 +304,6 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                   fieldClasses('claimMappings.emailVerified'),
                 )}
               />
-              <small className="form-text text-muted">
-                Please use dot notation
-              </small>
             </div>
           </div>
 
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
index 5d9a52ee8..671c8bc9c 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange.go
@@ -1,6 +1,7 @@
 package login
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -13,6 +14,8 @@ import (
 	"go.uber.org/zap"
 	"golang.org/x/oauth2"
 	"net/http"
+	"strconv"
+	"text/template"
 )
 
 func handlePerformingAuthCodeExchange(
@@ -142,7 +145,7 @@ func processOidcToken(
 		return nil, err
 	}
 
-	userProfile, err := extractIdentityProfile(ctx, claimInft, idp)
+	userProfile, err := extractIdentityProfileTemplateVersion(ctx, claimInft, idp)
 
 	result := &ProcessedToken{
 		OriginalToken: token,
@@ -157,7 +160,7 @@ func processOidcToken(
 }
 
 
-func extractIdentityProfile(
+func extractIdentityProfileTemplateVersion(
 	ctx context.Context,
 	claimInft interface{},
 	idp *types.IdentityProvider,
@@ -173,25 +176,67 @@ func extractIdentityProfile(
 		return nil, errors.New("failed to cast claims into type map[string]interface{}")
 	}
 
-	subject, ok := mappedClaimInft[idp.ClaimMappings.Subject].(string)
-	if ok {
-		userProfile.Subject = subject
+	subjectTpl := template.New("")
+	subjectTplParsed, err := subjectTpl.Parse(idp.ClaimMappings.Subject)
+	if err != nil { return nil, err}
+	var subjectBuffer bytes.Buffer
+	if err := subjectTplParsed.Execute(&subjectBuffer, mappedClaimInft); err != nil {
+		l.Error("failed to execute template for subject claim", zap.Error(err))
+		return nil, err
 	}
-	displayName, ok := mappedClaimInft[idp.ClaimMappings.DisplayName].(string)
-	if ok {
-		userProfile.DisplayName = displayName
+	subjectString := subjectBuffer.String()
+	if err != nil { return nil, err}
+	userProfile.Subject = subjectString
+
+	displayNameTpl := template.New("")
+	displayNameTplParsed, err := displayNameTpl.Parse(idp.ClaimMappings.DisplayName)
+	if err != nil { return nil, err}
+	var displayNameBuffer bytes.Buffer
+	if err := displayNameTplParsed.Execute(&displayNameBuffer, mappedClaimInft); err != nil {
+		l.Error("failed to execute template for displayName claim", zap.Error(err))
+		return nil, err
 	}
-	fullName, ok := mappedClaimInft[idp.ClaimMappings.FullName].(string)
-	if ok {
-		userProfile.FullName = fullName
+	displayNameString := displayNameBuffer.String()
+	if err != nil { return nil, err}
+	userProfile.DisplayName = displayNameString
+
+	fullNameTpl := template.New("")
+	fullNameTplParsed, err := fullNameTpl.Parse(idp.ClaimMappings.FullName)
+	if err != nil { return nil, err}
+	var fullNameBuffer bytes.Buffer
+	if err := fullNameTplParsed.Execute(&fullNameBuffer, mappedClaimInft); err != nil {
+		l.Error("failed to execute template for FullName claim", zap.Error(err))
+		return nil, err
 	}
-	email, ok := mappedClaimInft[idp.ClaimMappings.Email].(string)
-	if ok {
-		userProfile.Email = email
+	fullNameString := fullNameBuffer.String()
+	if err != nil { return nil, err}
+	userProfile.FullName = fullNameString
+
+	emailTpl := template.New("")
+	emailTplParsed, err := emailTpl.Parse(idp.ClaimMappings.Email)
+	if err != nil { return nil, err}
+	var emailBuffer bytes.Buffer
+	if err := emailTplParsed.Execute(&emailBuffer, mappedClaimInft); err != nil {
+		l.Error("failed to execute template for FullName claim", zap.Error(err))
+		return nil, err
 	}
-	emailVerified, ok := mappedClaimInft[idp.ClaimMappings.EmailVerified].(bool)
-	if ok {
-		userProfile.EmailVerified = emailVerified
+	emailString := emailBuffer.String()
+	if err != nil { return nil, err}
+	userProfile.Email = emailString
+
+	emailVerifiedTpl := template.New("")
+	emailVerifiedTplParsed, err := emailVerifiedTpl.Parse(idp.ClaimMappings.EmailVerified)
+	if err != nil { return nil, err}
+	var emailVerifiedBuffer bytes.Buffer
+	if err := emailVerifiedTplParsed.Execute(&emailVerifiedBuffer, mappedClaimInft); err != nil {
+		l.Error("failed to execute template for FullName claim", zap.Error(err))
+		return nil, err
 	}
+	emailVerifiedString := emailVerifiedBuffer.String()
+	emailVerifiedBool, _ := strconv.ParseBool(emailVerifiedString)
+	if err != nil { return nil, err}
+	userProfile.EmailVerified = emailVerifiedBool
+
+
 	return &userProfile, nil
 }
diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
index f2ee8e980..357c32edc 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
@@ -18,12 +18,26 @@ var idp = types.IdentityProvider{
 	EmailDomain: "emailDomain",
 	Scopes: "scope1 scope2",
 	ClaimMappings: types.ClaimMappings{
-		Version       : "VersionFieldName",
+		Version       : "v1",
+		Subject       : "{{.SubjectFieldName}}",
+		DisplayName   : "{{.Title}} {{.FirstName}} {{.LastName}}",
+		FullName      : "{{.FirstName}} {{.LastName}}",
+		Email         : "{{.EmailFieldName}}",
+		EmailVerified : "{{.EmailVerifiedFieldName}}",
+	},
+}
+var idp2 = types.IdentityProvider{
+	ID: "id",
+	Name: "name",
+	OrganizationID: "organizationId",
+	Domain: "domain",
+	ClientID: "clientId",
+	ClientSecret: "secret",
+	EmailDomain: "emailDomain",
+	Scopes: "scope1 scope2",
+	ClaimMappings: types.ClaimMappings{
+		Version       : "v1",
 		Subject       : "SubjectFieldName",
-		DisplayName   : "DisplayNameFieldName",
-		FullName      : "FullNameFieldName",
-		Email         : "EmailFieldName",
-		EmailVerified : "EmailVerifiedFieldName",
 	},
 }
 
@@ -35,30 +49,77 @@ func TestExtractIdentityProfile(t *testing.T) {
 	tests := []struct {
 		name          string
 		claims        interface{}
+		idp           types.IdentityProvider
 		expect        authrequest.Claims
+		wantErr       bool
 	}{
 		{
 			name: "maps correctly",
 			claims: map[string]interface{}{
 				"SubjectFieldName": "subjectValue",
-				"DisplayNameFieldName": "displayNameValue",
-				"FullNameFieldName": "fullNameValue",
+				"Title": "Prof.",
+				"FirstName": "Neil",
+				"LastName": "Armstrong",
 				"EmailFieldName": "emailValue",
 				"EmailVerifiedFieldName": true,
 			},
+			idp: idp,
 			expect: authrequest.Claims{
 				Subject: "subjectValue",
-				DisplayName: "displayNameValue",
-				FullName: "fullNameValue",
+				DisplayName: "Prof. Neil Armstrong",
+				FullName: "Neil Armstrong",
 				Email: "emailValue",
 				EmailVerified: true,
 			},
+			wantErr: false,
+		},
+		{
+			name: "fails to map data if IDP claims are not setup correctly",
+			claims: map[string]interface{}{
+				"SubjectFieldName": "subjectValue",
+				"Title": "Prof.",
+				"FirstName": "Neil",
+				"LastName": "Armstrong",
+				"EmailFieldName": "emailValue",
+				"EmailVerifiedFieldName": true,
+			},
+			idp: idp2,
+			expect: authrequest.Claims{
+				Subject: "SubjectFieldName",
+				DisplayName: "",
+				FullName: "",
+				Email: "",
+				EmailVerified: false,
+			},
+			wantErr: false,
+		},
+		{
+			name: "fills profile with placeholders for missing data",
+			claims: map[string]interface{}{
+				"SubjectFieldName": "subjectValue",
+			},
+			expect: authrequest.Claims{
+				Subject: "subjectValue",
+				DisplayName: "<no value> <no value> <no value>",
+				FullName: "<no value> <no value>",
+				Email: "<no value>",
+				EmailVerified: false,
+			},
+			wantErr: false,
+		},
+		{
+			name: "fails if claims is not a map[string]interface{}",
+			claims: 3,
+			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := extractIdentityProfile(ctx, tt.claims, &idp)
-
+			got, err := extractIdentityProfileTemplateVersion(ctx, tt.claims, &tt.idp)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
 			if !assert.NoError(t, err) {
 				return
 			}

From d8067c4f605a35b055c9433bf336d7354bfa2d32 Mon Sep 17 00:00:00 2001
From: internetti <irena.laemmerer@gmail.com>
Date: Fri, 3 Jun 2022 15:08:58 +0200
Subject: [PATCH 9/9] COR-475: fix tests

---
 .../handlers/login/action_performing_auth_code_exchange_test.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
index 357c32edc..226b1d38a 100644
--- a/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
+++ b/pkg/server/login/handlers/login/action_performing_auth_code_exchange_test.go
@@ -98,6 +98,7 @@ func TestExtractIdentityProfile(t *testing.T) {
 			claims: map[string]interface{}{
 				"SubjectFieldName": "subjectValue",
 			},
+			idp: idp,
 			expect: authrequest.Claims{
 				Subject: "subjectValue",
 				DisplayName: "<no value> <no value> <no value>",
@@ -110,6 +111,7 @@ func TestExtractIdentityProfile(t *testing.T) {
 		{
 			name: "fails if claims is not a map[string]interface{}",
 			claims: 3,
+			idp: idp,
 			wantErr: true,
 		},
 	}