search

mastodon / mastodon

Your self-hosted, globally interconnected microblogging community
https://joinmastodon.org
GNU Affero General Public License v3.0
46.72k stars 6.89k forks source link

OIDC sets email address as display name #22837

Open verymilan opened 1 year ago

verymilan commented 1 year ago

Steps to reproduce the problem

  1. configure OIDC_* for https://github.com/justingreerbbi/wordpress-oauth-server
  2. login with openid for the first time

Expected behaviour

Displayname should be unset or given name

Actual behaviour

Displayname is set to email address

Detailed description

Hi there, i've just deployed a new Mastodon instance and tried to connect it to the OAuth Server Wordpress Plugin. After discovering OIDC_UID_FIELD=user_login, it now sets the username correctly but i couldn't find a way to specify the display name, which now shows the email address – this is concerning if a user realizes this too late.

Unlike with SAML, there is no config for this behavior it seems. I am not sure who is at fault here (the plugin or omniauth), but it would be great if there was an option to at least specify the display name like the uid field.

Current settings:

OIDC_ENABLED=true
OIDC_DISPLAY_NAME=Example Name
OIDC_ISSUER=https://example.com
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile" # works the same with just 'openid' here
OIDC_UID_FIELD=user_login
OIDC_CLIENT_ID=redacted
OIDC_CLIENT_SECRET=redacted
OIDC_REDIRECT_URI=https://mastoexample.com/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true

Specifications

Mastodon v4.0.2 Node v16.19 Ruby 3.0.4p208 Ubuntu 22.04.1

ineffyble commented 1 year ago

Related to #20672

ThisIsMissEm commented 1 month ago

What's the user info response for the OAuth Server Wordpress Plugin?

For the User's display name, we currently rely on using one of the following properties returned by the User Info endpoint:

That said, I am currently investigating how we can support the normal user registration flow for SSO.