search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.41k stars 659 forks source link

`null` username when using GitLab as OIDC provider. #900

Open pawelrubin opened 3 years ago

pawelrubin commented 3 years ago

When connecting to AKHQ using GitLab OIDC, the username field is null

{
    "logged": true,
    "username": "null"
}

despite setting the username-field to nickname. According to GitLab docs, the nickname field should be available.

AKHQ_CONFIGURATION file:

akhq:
  connections:
    ...

  security:
    default-group: no-roles
    oidc:
      enabled: true
      providers:
        gitlab:
          label: Log in with GitLab
          default-group: reader
          groups-field: groups
          username-field: nickname

micronaut:
  security:
    enabled: true
    oauth2:
      enabled: true
      clients:
        gitlab:
          client-id: <oidc-id>
          client-secret: <oidc-secret>
          scopes:
            - openid
            - profile
            - email
          openid:
            issuer: <gitlab-url>
twobeeb commented 2 years ago

Hello, The gitlab doc also specifies the following:

The claims sub, sub_legacy, email, email_verified and groups_direct are included in the ID token. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.

pawelrubin commented 2 years ago

Hi @twobeeb,

Excellent remark! The email claim indeed works fine.

However, if one wants to use the nickname claim, do you know, by any chance, how to use the /oauth/userinfo endpoint?

tchiotludo commented 2 years ago

It's not possible as I know. To do this, you need to implement a custom User Mapper for each provider. I don't think we are going to support this due to huge amount of work for each one.