OpenID auth broken in jwtUtil

[jjaraalm]

Moving from v0.6.3 to master, it looks like the OpenID auth was refactored into jwtUtil. However, this no longer works with providers that do not use unique_name by default such as Google. In v0.6.3, any valid claim was used as the username, while in v0.7.0 only the claim unique_name is allowed to be the username. See,

https://github.com/HDFGroup/hsds/blob/9e1f08183f6f5e7ad51c57a6d2e7ba0ecfd95f02/hsds/util/jwtUtil.py#L177-L191

The v0.6.3 behavior wasn't great so I understand why it was changed, but this needs to be configurable. Possible options:

• The first listed claim is used as the username field (possibly only if unique_name isn't present)
• Add a new config option openid_username_claim and maybe also openid_roles_claim

[jreadey]

@jjaraalm - thanks for reporting this!
I don't have an easy way right now to test with OpenID auth - would you be willing to create a PR for the fix? I can verify against Azure AD.
Slightly favor the first approach to have less tweaking of config settings needed by deployers.

[jjaraalm]

I'll think about putting a PR in, but it's not the highest priority for me right now.