lxc · hallyn · Mar 21, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024
@@ -213,7 +213,7 @@ func api10Get(d *Daemon, r *http.Request) response.Response {
 	// Get the authentication methods.
 	authMethods := []string{api.AuthenticationMethodTLS}
 
-	oidcIssuer, oidcClientID, _ := s.GlobalConfig.OIDCServer()
+	oidcIssuer, oidcClientID, _, _ := s.GlobalConfig.OIDCServer()
 	if oidcIssuer != "" && oidcClientID != "" {
 		authMethods = append(authMethods, api.AuthenticationMethodOIDC)
 	}
@@ -998,13 +998,13 @@ func doApi10UpdateTriggers(d *Daemon, nodeChanged, clusterChanged map[string]str
 	}
 
 	if oidcChanged {
-		oidcIssuer, oidcClientID, oidcAudience := clusterConfig.OIDCServer()
+		oidcIssuer, oidcClientID, oidcAudience, oidcClaim := clusterConfig.OIDCServer()
 
 		if oidcIssuer == "" || oidcClientID == "" {
 			d.oidcVerifier = nil
 		} else {
 			var err error
-			d.oidcVerifier, err = oidc.NewVerifier(oidcIssuer, oidcClientID, oidcAudience)
+			d.oidcVerifier, err = oidc.NewVerifier(oidcIssuer, oidcClientID, oidcAudience, oidcClaim)
 			if err != nil {
 				return fmt.Errorf("Failed creating verifier: %w", err)
 			}

@@ -1380,7 +1380,7 @@ func (d *Daemon) init() error {
 
 	d.gateway.HeartbeatOfflineThreshold = d.globalConfig.OfflineThreshold()
 	lokiURL, lokiUsername, lokiPassword, lokiCACert, lokiInstance, lokiLoglevel, lokiLabels, lokiTypes := d.globalConfig.LokiServer()
-	oidcIssuer, oidcClientID, oidcAudience := d.globalConfig.OIDCServer()
+	oidcIssuer, oidcClientID, oidcAudience, oidcClaim := d.globalConfig.OIDCServer()
 	syslogSocketEnabled := d.localConfig.SyslogSocket()
 	openfgaAPIURL, openfgaAPIToken, openfgaStoreID, openFGAAuthorizationModelID := d.globalConfig.OpenFGA()
 	instancePlacementScriptlet := d.globalConfig.InstancesPlacementScriptlet()
@@ -1406,7 +1406,7 @@ func (d *Daemon) init() error {
 
 	// Setup OIDC authentication.
 	if oidcIssuer != "" && oidcClientID != "" {
-		d.oidcVerifier, err = oidc.NewVerifier(oidcIssuer, oidcClientID, oidcAudience)
+		d.oidcVerifier, err = oidc.NewVerifier(oidcIssuer, oidcClientID, oidcAudience, oidcClaim)
 		if err != nil {
 			return err
 		}

@@ -2383,3 +2383,7 @@ This adds the ability to use a signed `JSON Web Token` (`JWT`) instead of using
 In this scenario, the client derives a `JWT` from their own TLS client certificate providing it as a `bearer` token through the `Authorization` HTTP header.
 
 The `JWT` must have the certificate's fingerprint as its `Subject` and must be signed by the client's private key.
+
+## `oidc_claim`
+
+This introduces a new `oidc.claim` server configuration key which can be used to specify what OpenID Connect claim to use as the username.
@@ -1787,6 +1787,13 @@ Specify the volume using the syntax `POOL/VOLUME`.
 This value is required by some providers.
 ```
 
+```{config:option} oidc.claim server-oidc
+:scope: "global"
+:shortdesc: "OpenID Connect claim to use as the username"
+:type: "string"
+
+```
+
 ```{config:option} oidc.client.id server-oidc
 :scope: "global"
 :shortdesc: "OpenID Connect client ID"

@@ -23,6 +23,7 @@ type Verifier struct {
 	clientID  string
 	issuer    string
 	audience  string
+	claim     string
 	cookieKey []byte
 }
 
@@ -129,6 +130,16 @@ func (o *Verifier) Auth(ctx context.Context, w http.ResponseWriter, r *http.Requ
 		}
 	}
 
+	if o.claim != "" {
+		claim := claims.Claims[o.claim]
+		username, ok := claim.(string)
+		if claim == nil || !ok || username == "" {
+			return "", fmt.Errorf("OIDC user is missing required claim %q", o.claim)
+		}
+
+		return username, nil
+	}
+
 	user, ok := claims.Claims["email"]
 	if ok && user != nil && user.(string) != "" {
 		return user.(string), nil
@@ -295,13 +306,13 @@ func getAccessTokenVerifier(issuer string) (op.AccessTokenVerifier, error) {
 }
 
 // NewVerifier returns a Verifier.
-func NewVerifier(issuer string, clientid string, audience string) (*Verifier, error) {
+func NewVerifier(issuer string, clientid string, audience string, claim string) (*Verifier, error) {
 	cookieKey, err := uuid.New().MarshalBinary()
 	if err != nil {
 		return nil, fmt.Errorf("Failed to create UUID: %w", err)
 	}
 
-	verifier := &Verifier{issuer: issuer, clientID: clientid, audience: audience, cookieKey: cookieKey}
+	verifier := &Verifier{issuer: issuer, clientID: clientid, audience: audience, cookieKey: cookieKey, claim: claim}
 	verifier.accessTokenVerifier, _ = getAccessTokenVerifier(issuer)
 
 	return verifier, nil

@@ -214,8 +214,8 @@ func (c *Config) RemoteTokenExpiry() string {
 }
 
 // OIDCServer returns all the OpenID Connect settings needed to connect to a server.
-func (c *Config) OIDCServer() (string, string, string) {
-	return c.m.GetString("oidc.issuer"), c.m.GetString("oidc.client.id"), c.m.GetString("oidc.audience")
+func (c *Config) OIDCServer() (string, string, string, string) {
+	return c.m.GetString("oidc.issuer"), c.m.GetString("oidc.client.id"), c.m.GetString("oidc.audience"), c.m.GetString("oidc.claim")
 }
 
 // ClusterHealingThreshold returns the configured healing threshold, i.e. the
@@ -685,6 +685,14 @@ var ConfigSchema = config.Schema{
 	//  shortdesc: Expected audience value for the application
 	"oidc.audience": {},
 
+	// gendoc:generate(entity=server, group=oidc, key=oidc.claim)
+	//
+	// ---
+	//  type: string
+	//  scope: global
+	//  shortdesc: OpenID Connect claim to use as the username
+	"oidc.claim": {},
+
 	// OVN networking global keys.
 
 	// gendoc:generate(entity=server, group=miscellaneous, key=network.ovn.integration_bridge)

@@ -1962,6 +1962,14 @@
 							"type": "string"
 						}
 					},
+					{
+						"oidc.claim": {
+							"longdesc": "",
+							"scope": "global",
+							"shortdesc": "OpenID Connect claim to use as the username",
+							"type": "string"
+						}
+					},
 					{
 						"oidc.client.id": {
 							"longdesc": "",

@@ -401,6 +401,7 @@ var APIExtensions = []string{
 	"storage_lvm_cluster",
 	"shared_custom_block_volumes",
 	"auth_tls_jwt",
+	"oidc_claim",
 }
 
 // APIExtensionsCount returns the number of available API extensions.