Closed tsmethurst closed 1 year ago
forgot to link it earlier but this also relates to https://github.com/superseriousbusiness/gotosocial/issues/309
I really like the gitea approach: On first registration prompt the user for a desired username/displayname but prefill it with claims from the token.
This also offers an easy fallback regarding #309
Right now we just use the
Name
field of the OIDC claim for username. We should make it possible for instance admins to configure which claim field(s) should map to which User fields.This will require adding some new config options in the
internal/config
package (and updating cli tests), fleshing out theClaims
struct ininternal/oidc
to add more standard OIDC fields, and also updating theparseUserFromClaims
function ininternal/api/client/auth/callback.go
to map using the configured fields rather than hardcoded ones.To avoid breaking any existing deployments, the config should still use Name as the default Username mapping.
To support all this, we should write some decent OIDC documentation!
Handy document explaining different claims + scopes etc: https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1