Defined via a OIDC_EXTERNAL_ID_CLAIM env option.
For #3914
OIDC_USER_TO_GROUPS=false
OIDC_GROUPS_CLAIM=groups
OIDC_REMOVE_FROM_GROUPS=false
+OIDC_EXTERNAL_ID_CLAIM=sub
# Disable default third-party services such as Gravatar and Draw.IO
# Service-specific options will override this option
*/
protected function getUserDetails(OidcIdToken $token): array
{
- $id = $token->getClaim('sub');
+ $idClaim = $this->config()['external_id_claim'];
+ $id = $token->getClaim($idClaim);
return [
'external_id' => $id,
// Dump user details after a login request for debugging purposes
'dump_user_details' => env('OIDC_DUMP_USER_DETAILS', false),
- // Attribute, within a OpenId token, to find the user's display name
+ // Claim, within an OpenId token, to find the user's display name
'display_name_claims' => explode('|', env('OIDC_DISPLAY_NAME_CLAIMS', 'name')),
+ // Claim, within an OpenID token, to use to connect a BookStack user to the OIDC user.
+ 'external_id_claim' => env('OIDC_EXTERNAL_ID_CLAIM', 'sub'),
+
// OAuth2/OpenId client id, as configured in your Authorization server.
'client_id' => env('OIDC_CLIENT_ID', null),
'oidc.user_to_groups' => false,
'oidc.groups_claim' => 'group',
'oidc.remove_from_groups' => false,
+ 'oidc.external_id_claim' => 'sub',
]);
}
$this->assertTrue(auth()->check());
}
+ public function test_auth_uses_configured_external_id_claim_option()
+ {
+ config()->set([
+ 'oidc.external_id_claim' => 'super_awesome_id',
+ ]);
+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'super_awesome_id' => 'xXBennyTheGeezXx',
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+ $this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id);
+ }
+
public function test_login_group_sync()
{
config()->set([
projects / bookstack / commitdiff