Feature Request: Enforce a username convention for OIDC logins

[jarulsamy]

Overview of the Feature Request

When a user logs in using an OIDC provider, such as Keycloak, they are allowed to choose any username for their Dataverse ID. I would like to be able to enforce that user's use their email address (from the OIDC provider) as their Dataverse ID (or up to the @ symbol, bob@foo.org would have the ID bob).

What kind of user is the feature intended for?

All users logging in through OIDC.

What inspired the request?

Our academic institution would like to maintain a single 'username' for all users. That way, the username is consistent for all of our campus services. We are concerned when deploying our initial Dataverse environment that users are able to use arbitrary usernames.

Modifications / Additions to Dataverse Behavior

• Administrators should be able to disable user's picking arbitrary usernames.

• Usernames should be (optionally) derived from the authentication provider itself (for example, OIDC).

Any open or closed issues related to this feature request?

• https://github.com/IQSS/dataverse/issues/6690

[pdurbin]

@jarulsamy hi, thanks for opening this issue. A couple thoughts for you:

As a workaround, if someone picks the "wrong" username, you could change it administratively after the fact using this API: https://guides.dataverse.org/en/6.0/api/native-api.html#change-user-identifier

Shibboleth users can't select their username at sign up time either. OAuth users have a suggested username pre-populated for them.

Usernames are unique across the installation so this feature wouldn't make sense for an installation like Harvard Dataverse or UNC Dataverse where people have accounts from all over the world. So it should be a setting, something to opt-in to.

[jarulsamy]

@pdurbin Hello,

I agree, it should be an opt-in feature only. I understand this feature has some conflicts with existing workflows, for example what would happen if two users logged in through two different providers (e.g one user logs in with our OIDC method, and another from GitHub), and had the same username? We'd have to find a way to deal with such conflicts.

I have all our users in an on-prem IDM instance, so I was thinking I could export a list users, and pre-seed my Dataverse instance with those usernames. Given the broad API support Dataverse has, I believe it is possible. That's my current workaround plan, plus I could change any new users usernames using the API you mentioned in the future. I think for the time being, that would be sufficient for me (assuming it all works :-))

[pdurbin]

Right, in practice, for Shibboleth, where users can't pick their username, we add a number like jarulsamy1, jarulsamy2, etc.

Yes, I believe others have pre-seeded the user tables with info from their IDM. Should work.