[ARVADOS] created: 2.1.0-902-g5c8a7da1f

Git user git at public.arvados.org
Mon Jun 7 19:56:30 UTC 2021 

        at  5c8a7da1f403b44adfdd1f132988bdffc21d9228 (commit)


commit 5c8a7da1f403b44adfdd1f132988bdffc21d9228
Author: Nico Cesar <nico at nicocesar.com>
Date:   Mon Jun 7 15:47:20 2021 -0400

    give_name / family_name claims support
    
    Arvados-DCO-1.1-Signed-off-by: Nico Cesar <nico at curii.com>

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 61dc5c816..294b09d09 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -175,14 +175,23 @@ func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, token *oauth2.
 	if err := claimser.Claims(&claims); err != nil {
 		return nil, fmt.Errorf("error extracting claims from token: %s", err)
 	} else if verified, _ := claims[ctrl.EmailVerifiedClaim].(bool); verified || ctrl.EmailVerifiedClaim == "" {
-		// Fall back to this info if the People API call
-		// (below) doesn't return a primary && verified email.
-		name, _ := claims["name"].(string)
-		if names := strings.Fields(strings.TrimSpace(name)); len(names) > 1 {
-			ret.FirstName = strings.Join(names[0:len(names)-1], " ")
-			ret.LastName = names[len(names)-1]
-		} else if len(names) > 0 {
-			ret.FirstName = names[0]
+		givenName, ok := claims["given_name"].(string)
+		if ok {
+			ret.FirstName = givenName
+		}
+		familyName, ok := claims["family_name"].(string)
+		if ok {
+			ret.LastName = familyName
+		} else {
+			// Fall back to this info if the People API call
+			// (below) doesn't return a primary && verified email.
+			name, _ := claims["name"].(string)
+			if names := strings.Fields(strings.TrimSpace(name)); len(names) > 1 {
+				ret.FirstName = strings.Join(names[0:len(names)-1], " ")
+				ret.LastName = names[len(names)-1]
+			} else if len(names) > 0 {
+				ret.FirstName = names[0]
+			}
 		}
 		ret.Email, _ = claims[ctrl.EmailClaim].(string)
 	}
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index c9d6133c4..e719a8c5e 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -56,6 +56,8 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
 	s.fakeProvider.AuthEmail = "active-user at arvados.local"
 	s.fakeProvider.AuthEmailVerified = true
 	s.fakeProvider.AuthName = "Fake User Name"
+	s.fakeProvider.AuthGivenName = "Fake"
+	s.fakeProvider.AuthFamilyName = "User Name"
 	s.fakeProvider.ValidCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
 	s.fakeProvider.PeopleAPIResponse = map[string]interface{}{}
 
@@ -421,8 +423,8 @@ func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 	c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 
 	authinfo := getCallbackAuthInfo(c, s.railsSpy)
-	c.Check(authinfo.FirstName, check.Equals, "Fake User")
-	c.Check(authinfo.LastName, check.Equals, "Name")
+	c.Check(authinfo.FirstName, check.Equals, "Fake")
+	c.Check(authinfo.LastName, check.Equals, "User Name")
 	c.Check(authinfo.Email, check.Equals, "active-user at arvados.local")
 	c.Check(authinfo.AlternateEmails, check.HasLen, 0)
 
@@ -485,6 +487,22 @@ func (s *OIDCLoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
 	c.Check(authinfo.LastName, check.Equals, "Smith")
 }
 
+func (s *OIDCLoginSuite) TestGoogleLogin_OIDCClamisWithGivenNames(c *check.C) {
+	s.fakeProvider.AuthName = "Federico Garcia Lorca"
+	s.fakeProvider.AuthGivenName = "Federico"
+	s.fakeProvider.AuthFamilyName = "Garcia Lorca"
+	s.fakeProvider.AuthEmail = "federico.garcia.lorca at primary.example.com"
+	state := s.startLogin(c)
+	s.localdb.Login(context.Background(), arvados.LoginOptions{
+		Code:  s.fakeProvider.ValidCode,
+		State: state,
+	})
+
+	authinfo := getCallbackAuthInfo(c, s.railsSpy)
+	c.Check(authinfo.FirstName, check.Equals, "Federico")
+	c.Check(authinfo.LastName, check.Equals, "Garcia Lorca")
+}
+
 // People API returns some additional email addresses.
 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses(c *check.C) {
 	s.fakeProvider.AuthEmail = "joe.smith at primary.example.com"
diff --git a/sdk/go/arvadostest/oidc_provider.go b/sdk/go/arvadostest/oidc_provider.go
index de21302e5..fa5e55c42 100644
--- a/sdk/go/arvadostest/oidc_provider.go
+++ b/sdk/go/arvadostest/oidc_provider.go
@@ -29,6 +29,8 @@ type OIDCProvider struct {
 	AuthEmail          string
 	AuthEmailVerified  bool
 	AuthName           string
+	AuthGivenName      string
+	AuthFamilyName     string
 	AccessTokenPayload map[string]interface{}
 
 	PeopleAPIResponse map[string]interface{}
@@ -96,6 +98,8 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 			"email":          p.AuthEmail,
 			"email_verified": p.AuthEmailVerified,
 			"name":           p.AuthName,
+			"given_name":     p.AuthGivenName,
+			"family_name":    p.AuthFamilyName,
 			"alt_verified":   true,                    // for custom claim tests
 			"alt_email":      "alt_email at example.com", // for custom claim tests
 			"alt_username":   "desired-username",      // for custom claim tests
@@ -131,8 +135,8 @@ func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"sub":            "fake-user-id",
 			"name":           p.AuthName,
-			"given_name":     p.AuthName,
-			"family_name":    "",
+			"given_name":     p.AuthGivenName,
+			"family_name":    p.AuthFamilyName,
 			"alt_username":   "desired-username",
 			"email":          p.AuthEmail,
 			"email_verified": p.AuthEmailVerified,

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list