feat(oidc): take preferred_username if present (#1430)

migmartri · web-flow · commit e77c2f65cd94 · 2024-10-23T09:57:33.000+02:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/internal/service/auth.go b/app/controlplane/internal/service/auth.go
@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/mail"
 	"net/url"
 	"time"
 
@@ -208,6 +209,24 @@ func loginHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) (int
 // Extract custom claims
 type upstreamOIDCclaims struct {
 	Email string `json:"email"`
+	// This value is present  in the case of Microsoft Entra IDp
+	// It might show the user's proxy email used during login
+	// https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin
+	// https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+	PreferredUsername string `json:"preferred_username"`
+}
+
+// Will retrieve the email from the preferred username if it's a valid email
+// or fallback to the email field
+func (c *upstreamOIDCclaims) preferredEmail() string {
+	if c.PreferredUsername != "" {
+		// validate that this is an email since according to the Entra spec this might be a phone or username
+		if _, err := mail.ParseAddress(c.PreferredUsername); err == nil {
+			return c.PreferredUsername
+		}
+	}
+
+	return c.Email
 }
 
 type errorWithCode struct {
@@ -224,7 +243,7 @@ func callbackHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) (
 	}
 
 	// Create user if needed
-	u, err := svc.userUseCase.FindOrCreateByEmail(ctx, claims.Email)
+	u, err := svc.userUseCase.FindOrCreateByEmail(ctx, claims.preferredEmail())
 	if err != nil {
 		return http.StatusInternalServerError, sl.LogAndMaskErr(err, svc.log)
 	}
diff --git a/app/controlplane/internal/service/auth_test.go b/app/controlplane/internal/service/auth_test.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -87,3 +87,40 @@ func TestGetAuthURLs(t *testing.T) {
 		})
 	}
 }
+
+func TestGetPreferredEmail(t *testing.T) {
+	testCases := []struct {
+		claims *upstreamOIDCclaims
+		want   string
+	}{
+		{
+			claims: &upstreamOIDCclaims{Email: ""},
+			want:   "",
+		},
+		{
+			claims: &upstreamOIDCclaims{Email: "foo@bar.com"},
+			want:   "foo@bar.com",
+		},
+		{
+			claims: &upstreamOIDCclaims{Email: "foo@bar.com", PreferredUsername: "overridden"},
+			want:   "foo@bar.com",
+		},
+		{
+			claims: &upstreamOIDCclaims{Email: "foo@bar.com", PreferredUsername: "overridden@bar.com"},
+			want:   "overridden@bar.com",
+		},
+		{
+			claims: &upstreamOIDCclaims{Email: "foo@bar.com", PreferredUsername: "overridden+22@bar.com"},
+			want:   "overridden+22@bar.com",
+		},
+		{
+			claims: &upstreamOIDCclaims{Email: "foo@bar.com", PreferredUsername: "overridden@bar.sub.com"},
+			want:   "overridden@bar.sub.com",
+		},
+	}
+
+	for _, tc := range testCases {
+		got := tc.claims.preferredEmail()
+		assert.Equal(t, tc.want, got)
+	}
+}
