Support for Custom SSO Without AUTH_CUSTOM_CLIENT_SECRET and Incorrect Profile Mapping

[lucebert]

Description

While attempting to integrate a custom SSO provider into Langfuse, I encountered two major issues:

1. Langfuse does not support an empty AUTH_CUSTOM_CLIENT_SECRET, which is necessary for my SSO provider as it does not require a client secret.
2. The profile return data from my custom SSO provider is not correctly mapped. For example, firstName, lastName, and emailAddress are not handled as expected.

Details of the Issues:

1. AUTH_CUSTOM_CLIENT_SECRET Handling:

   • In my SSO setup, the client secret is not used or provided. However, Langfuse currently does not allow for an empty AUTH_CUSTOM_CLIENT_SECRET value, which prevents me from proceeding with the integration.
   • I had to modify the logic in auth.ts to allow clientSecret to be empty by setting it to an empty string ("") when it is not defined.

   Example code modification:

   staticProviders.push(
     CustomSSOProvider({
       clientId: env.AUTH_CUSTOM_CLIENT_ID,
       clientSecret: env.AUTH_CUSTOM_CLIENT_SECRET || "",  // Fallback to empty string
       issuer: env.AUTH_CUSTOM_ISSUER,
       allowDangerousEmailAccountLinking:
         env.AUTH_CUSTOM_ALLOW_ACCOUNT_LINKING === "true",
       authorization: {
         params: { scope: env.AUTH_CUSTOM_SCOPE ?? "openid email profile" },
       },
     })
   );

2. Incorrect Profile Data Mapping:

   • The profile data returned by my SSO provider does not map correctly in the current Langfuse setup. Specifically:
     • Name fields: The SSO provider returns firstName and lastName, but Langfuse does not handle this format. I had to concatenate firstName and lastName manually in the profile return object.
     • Email field: The provider uses emailAddress instead of email, which also required manual mapping.

   Example profile mapping modification:

   profile(profile) {
     return {
       id: profile.sub,
       name: profile.firstName + " " + profile.lastName,  // Concatenating firstName and lastName
       email: profile.emailAddress,                       // Using emailAddress instead of email
       image: null,
     };
   }
   

Additional information

Suggested Enhancements:

1. Support for Empty AUTH_CUSTOM_CLIENT_SECRET:

   • The ability to have an empty clientSecret should be supported for OAuth providers that do not require a client secret. A more flexible check or configuration option would resolve this issue.

2. Flexible Profile Mapping:

   • Langfuse could benefit from additional configuration options or hooks for custom mapping of profile data, allowing users to easily map firstName, lastName, and other custom fields returned by different SSO providers.

Steps to Reproduce:

1. Set up a custom OAuth provider that does not require a clientSecret.
2. Attempt to configure the SSO provider with AUTH_CUSTOM_CLIENT_SECRET left blank or empty.
3. Observe that Langfuse throws an error or prevents the integration.
4. Try to log in using the custom SSO provider and notice that the profile data is not mapped correctly.

Expected Behavior:

1. The SSO provider should work without requiring a clientSecret.
2. The profile data should be correctly mapped from the fields provided by the SSO provider, such as firstName, lastName, and emailAddress.