Can't set custom OAuth2 to add email and displayName to users

zorn-v / nextcloud-social-login

GNU Affero General Public License v3.0

198 stars 137 forks source link

Can't set custom OAuth2 to add email and displayName to users #287

Closed Emi94 closed 2 years ago

Emi94 commented 3 years ago

Hi, I've set a custom OAuth2 with an instance of Apereo CAS and login works. But I can't set it to recognize the user email and displayName.

This is how I set it (I've tried multiple combinations for "Scope" and "Profile Fields")

And this is what CAS returns:

{
  "service": "MyClientID",
  "attributes": {
    "displayName": "Emilian Test",
    "email": "emilian.test@domain.com",
    "oauthClientId": "MyClientID"
  },
  "id": "emilian.test",
  "client_id": "MyClientID"
}

My guess is either "Scope" or "Profile Fields" needs some values, but not sure what they should be since they are not documented. Can you give me some pointers please?

Emi94 commented 3 years ago

I've tried to look at https://github.com/zorn-v/nextcloud-social-login/blob/master/lib/Provider/CustomOAuth2.php to understand how to do what I need and doing something like:

$response->displayName = $response->attributes->displayName
$response->email = $response->attributes->email

Allows social login to recognize the displayName and email, where "attributes" is taken from what CAS returns. But this is more like a little hack. I there a way to do this from the web interface that I don't see or does this require the app to be modified?

zorn-v commented 3 years ago

OAuth2 fields (claims) is not standardized, so we have what we have. My proposal to configure it as OIDC provider not OAuth2. Seems Apereo CAS supports it https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html

Emi94 commented 2 years ago

@zorn-v Would you accept a pull request from one of our teams dev with solution?

Discourse for example allows to custom map email and displayName to what the OAuth2 provider returns. So in my case I used "attributes.email" and "attributes.displayName". Not sure how it is implemented as I'm not really a dev and didn't take a look, but there are solutions.

Also, I know CAS also supports OIDC, but can you please tell me why should I try it? Never worked with OIDC and don't know much about it.

zorn-v commented 2 years ago

but can you please tell me why should I try it?

It works more "standardized". E.g. standard field names (like display name, picture, user identifier etc) that it returns. OIDC like oauth extension.

Emi94 commented 2 years ago

Just when I wanted to start testing with OIDC, I came across an option for OAuth2 on CAS to "flatten" the attributes returned so it would look like:

{
  "displayName": "Emilian Test",
  "email": "emilian.mitocariu@domain.com",
  "oauthClientId": "MyClientID",
  "service": "MyClientID",
  "id": "emilian.test",
  "client_id": "MyClientID"
}

This solves my problem :smiley:, so I'll close this issue

PS: in case someone has the same problem with CAS and social login, this is the config: cas.authn.oauth.user-profile-view-type=FLAT (NESTED being the default value)