add regexp mechanism to parse user IDs from tokens

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

README.md

@@ -79,6 +79,28 @@ The OpenID Connect backend will ensure that user ids are unique even when multip
 id to ensure that a user cannot identify for the same Nextcloud account through different providers.
 Therefore, a hash of the provider id and the user id is used. This behaviour can be turned off in the provider options.
 
+### Parsing user IDs from claims
+
+If your ID tokens do not contain the user ID directly in an attribute/claim,
+you can configure user_oidc to apply a regular expression to extract the user ID from the claim.
+
+```php
+'user_oidc' => [
+  'user_id_regexp' => 'u=([^,]+)'
+]
+```
+
+This regular expression may or may not contain parenthesis. If it does, only the selected block will be extracted.
+Examples:
+
+* `'[a-zA-Z]+'`
+  * `'123-abc-123'` will give `'abc'`
+  * `'123-abc-345-def'` will give `'abc'`
+* `'u=([^,]+)'`
+  * `'u=123'` will give `'123'`
+  * `'anything,u=123,anything'` will give `'123'`
+  * `'anything,u=123,anything,u=345'` will give `'123'`
+
 ## Commandline settings
 The app could also be configured by commandline.
 

lib/Controller/LoginController.php

@@ -562,6 +562,8 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'failed to provision user']);
 		}
 
+		$userId = $this->settingsService->parseUserId($userId);
+
 		// prevent login of users that are not in a whitelisted group (if activated)
 		$restrictLoginToGroups = $this->providerService->getSetting($providerId, ProviderService::SETTING_RESTRICT_LOGIN_TO_GROUPS, '0');
 		if ($restrictLoginToGroups === '1') {

lib/Service/SettingsService.php

@@ -13,12 +13,14 @@
 use OCA\UserOIDC\AppInfo\Application;
 use OCP\Exceptions\AppConfigTypeConflictException;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use Psr\Log\LoggerInterface;
 
 class SettingsService {
 
 	public function __construct(
 		private IAppConfig $appConfig,
+		private IConfig $config,
 		private LoggerInterface $logger,
 	) {
 	}
@@ -41,4 +43,14 @@ public function setAllowMultipleUserBackEnds(bool $value): void {
 			$this->appConfig->setValueString(Application::APP_ID, 'allow_multiple_user_backends', $value ? '1' : '0', lazy: true);
 		}
 	}
+
+	public function parseUserId(string $userId): string {
+		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
+		if (isset($oidcSystemConfig['user_id_regexp']) && $oidcSystemConfig['user_id_regexp'] !== '') {
+			if (preg_match('/' . $oidcSystemConfig['user_id_regexp'] . '/', $userId, $matches) === 1) {
+				return $matches[1] ?? $matches[0];
+			}
+		}
+		return $userId;
+	}
 }

lib/User/Backend.php

@@ -18,6 +18,7 @@
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\ProviderService;
 use OCA\UserOIDC\Service\ProvisioningService;
+use OCA\UserOIDC\Service\SettingsService;
 use OCA\UserOIDC\User\Validator\SelfEncodedValidator;
 use OCA\UserOIDC\User\Validator\UserInfoValidator;
 use OCP\AppFramework\Db\DoesNotExistException;
@@ -59,6 +60,7 @@ public function __construct(
 		private ProviderService $providerService,
 		private ProvisioningService $provisioningService,
 		private LdapService $ldapService,
+		private SettingsService $settingsService,
 		private IUserManager $userManager,
 	) {
 	}
@@ -289,6 +291,8 @@ public function getCurrentUserId(): string {
 						$discovery = $this->discoveryService->obtainDiscovery($provider);
 						$this->eventDispatcher->dispatchTyped(new TokenValidatedEvent(['token' => $headerToken], $provider, $discovery));
 
+						$tokenUserId = $this->settingsService->parseUserId($tokenUserId);
+
 						if ($autoProvisionAllowed) {
 							// look for user in other backends
 							if (!$this->userManager->userExists($tokenUserId)) {