From: Nico Cesar <nico@nicocesar.com>
Date: Mon, 19 Jul 2021 22:03:38 +0000 (-0400)
Subject: OIDC given name / family name fields support
X-Git-Tag: 2.3.0~139^2
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/8a0e803df2dc4ce35596faa6c17f6bb22db72668

OIDC given name / family name fields support

Arvados-DCO-1.1-Signed-off-by: Nico Cesar <nico@nicocesar.com>
---

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 61dc5c816b..6182469ac3 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -177,12 +177,19 @@ func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, token *oauth2.
 	} else if verified, _ := claims[ctrl.EmailVerifiedClaim].(bool); verified || ctrl.EmailVerifiedClaim == "" {
 		// Fall back to this info if the People API call
 		// (below) doesn't return a primary && verified email.
-		name, _ := claims["name"].(string)
-		if names := strings.Fields(strings.TrimSpace(name)); len(names) > 1 {
-			ret.FirstName = strings.Join(names[0:len(names)-1], " ")
-			ret.LastName = names[len(names)-1]
-		} else if len(names) > 0 {
-			ret.FirstName = names[0]
+		givenName, _ := claims["given_name"].(string)
+		familyName, _ := claims["family_name"].(string)
+		if givenName != "" && familyName != "" {
+			ret.FirstName = givenName
+			ret.LastName = familyName
+		} else {
+			name, _ := claims["name"].(string)
+			if names := strings.Fields(strings.TrimSpace(name)); len(names) > 1 {
+				ret.FirstName = strings.Join(names[0:len(names)-1], " ")
+				ret.LastName = names[len(names)-1]
+			} else if len(names) > 0 {
+				ret.FirstName = names[0]
+			}
 		}
 		ret.Email, _ = claims[ctrl.EmailClaim].(string)
 	}
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 4be7d58f69..4778e45f5f 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -56,6 +56,8 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
 	s.fakeProvider.AuthEmail = "active-user@arvados.local"
 	s.fakeProvider.AuthEmailVerified = true
 	s.fakeProvider.AuthName = "Fake User Name"
+	s.fakeProvider.AuthGivenName = "Fake"
+	s.fakeProvider.AuthFamilyName = "User Name"
 	s.fakeProvider.ValidCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
 	s.fakeProvider.PeopleAPIResponse = map[string]interface{}{}
 
@@ -421,8 +423,8 @@ func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 	c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 
 	authinfo := getCallbackAuthInfo(c, s.railsSpy)
-	c.Check(authinfo.FirstName, check.Equals, "Fake User")
-	c.Check(authinfo.LastName, check.Equals, "Name")
+	c.Check(authinfo.FirstName, check.Equals, "Fake")
+	c.Check(authinfo.LastName, check.Equals, "User Name")
 	c.Check(authinfo.Email, check.Equals, "active-user@arvados.local")
 	c.Check(authinfo.AlternateEmails, check.HasLen, 0)
 
@@ -446,6 +448,7 @@ func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 
 func (s *OIDCLoginSuite) TestGoogleLogin_RealName(c *check.C) {
 	s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
+	s.fakeProvider.AuthEmailVerified = true
 	s.fakeProvider.PeopleAPIResponse = map[string]interface{}{
 		"names": []map[string]interface{}{
 			{
@@ -471,8 +474,10 @@ func (s *OIDCLoginSuite) TestGoogleLogin_RealName(c *check.C) {
 	c.Check(authinfo.LastName, check.Equals, "Psmith")
 }
 
-func (s *OIDCLoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
+func (s *OIDCLoginSuite) TestGoogleLogin_OIDCNameWithoutGivenAndFamilyNames(c *check.C) {
 	s.fakeProvider.AuthName = "JoeÂ P.Â Smith"
+	s.fakeProvider.AuthGivenName = ""
+	s.fakeProvider.AuthFamilyName = ""
 	s.fakeProvider.AuthEmail = "joe.smith@primary.example.com"
 	state := s.startLogin(c)
 	s.localdb.Login(context.Background(), arvados.LoginOptions{
diff --git a/sdk/go/arvadostest/oidc_provider.go b/sdk/go/arvadostest/oidc_provider.go
index de21302e5a..fa5e55c42e 100644
--- a/sdk/go/arvadostest/oidc_provider.go
+++ b/sdk/go/arvadostest/oidc_provider.go
@@ -29,6 +29,8 @@ type OIDCProvider struct {
 	AuthEmail          string
 	AuthEmailVerified  bool
 	AuthName           string
+	AuthGivenName      string
+	AuthFamilyName     string
 	AccessTokenPayload map[string]interface{}
 
 	PeopleAPIResponse map[string]interface{}
@@ -96,6 +98,8 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 			"email":          p.AuthEmail,
 			"email_verified": p.AuthEmailVerified,
 			"name":           p.AuthName,
+			"given_name":     p.AuthGivenName,
+			"family_name":    p.AuthFamilyName,
 			"alt_verified":   true,                    // for custom claim tests
 			"alt_email":      "alt_email@example.com", // for custom claim tests
 			"alt_username":   "desired-username",      // for custom claim tests
@@ -131,8 +135,8 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"sub":            "fake-user-id",
 			"name":           p.AuthName,
-			"given_name":     p.AuthName,
-			"family_name":    "",
+			"given_name":     p.AuthGivenName,
+			"family_name":    p.AuthFamilyName,
 			"alt_username":   "desired-username",
 			"email":          p.AuthEmail,
 			"email_verified": p.AuthEmailVerified,