Username from /userinfo (#14038)

This patch enabled Harbor to receive the username from the /userinfo endpoint instead of only from the ID Token. Closes #14037 Signed-off-by: Sven Haardiek <sven@haardiek.de>
2024-11-22 18:25:56 +01:00 · 2021-01-22 11:48:53 +01:00 · 2021-01-22 11:48:53 +01:00 · b2fe254974
commit b2fe254974
parent f013d88efc
1 changed files with 8 additions and 4 deletions
--- a/src/common/utils/oidc/helper.go
+++ b/src/common/utils/oidc/helper.go
@ -264,6 +264,10 @@ func UserInfoFromToken(ctx context.Context, token *Token) (*UserInfo, error) {
 	if err != nil {
 		log.Warningf("Failed to get userInfo by calling remote userinfo endpoint, error: %v ", err)
 	}
+
+	if setting.UserClaim != "" && local.Username == "" && remote.Username == "" {
+		return nil, fmt.Errorf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim)
+	}
 	if remote != nil && local != nil {
 		if remote.Subject != local.Subject {
 			return nil, fmt.Errorf("the subject from userinfo: %s does not match the subject from ID token: %s, probably a security attack happened", remote.Subject, local.Subject)
@ -338,11 +342,11 @@ func userInfoFromClaims(c claimsProvider, setting models.OIDCSetting) (*UserInfo
 			return nil, err
 		}

-		username, ok := allClaims[setting.UserClaim].(string)
-		if !ok {
-			return nil, fmt.Errorf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim)
+		if username, ok := allClaims[setting.UserClaim].(string); ok {
+			res.Username = username
+		} else {
+			log.Warningf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim)
 		}
-		res.Username = username
 	}
 	res.Groups, res.hasGroupClaim = groupsFromClaims(c, setting.GroupsClaim)
 	if len(setting.AdminGroup) > 0 {