✨ Add openid-attr support and dot notation for OIDC attribute (#8946)

* ✨ Add openid-attr support and dot notation for OIDC attribute paths * ♻️ Simplify OIDC: add dot-notation for attr paths and retain sub claim * ♻️ Fix OIDC: fix * 🐛 Fix OIDC nested attr lookup for dot notation * ♻️ Remove unused OIDC openid-attr support --------- Signed-off-by: Andrey Antukh <niwi@niwi.nz> Co-authored-by: Andrey Antukh <niwi@niwi.nz>
2026-04-25 11:18:36 +00:00 · 2026-04-16 03:12:37 -06:00 · 2026-04-16 03:12:37 -06:00 · 81061013b1
commit 81061013b1
parent b2f173675e
2 changed files with 43 additions and 7 deletions
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -401,8 +401,9 @@

 (defn- parse-attr-path
  [provider path]
-  (let [[fitem & items] (str/split path "__")]
-    (into [(keyword (:type provider) fitem)] (map keyword) items)))
+  (let [separator        (if (str/includes? path "__") "__" ".")
+        [fitem & items]  (str/split path separator)]
+    (into [(keyword (:type provider) (str/kebab fitem))] (map keyword) items)))

 (defn- build-redirect-uri
  []
@ -488,9 +489,9 @@
                (let [attr-ph (parse-attr-path provider "nickname")]
                  (get-in props attr-ph))))]

-    (let [info  (assoc info :provider-id (str (:id provider)))
-          props (qualify-props provider info)
-          email (get-email props)]
+    (let [info    (assoc info :provider-id (str (:id provider)))
+          props   (qualify-props provider info)
+          email   (get-email props)]
      {:backend  (:type provider)
       :fullname (or (get-name props) email)
       :email email
@ -553,9 +554,9 @@
        claims (get-id-token-claims provider tdata)

        info   (case (get provider :user-info-source)
-                 :token (dissoc claims :exp :iss :iat :aud :sub :sid)
+                 :token (dissoc claims :exp :iss :iat :aud :sid)
                 :userinfo (fetch-user-info cfg provider tdata)
-                 (or (some-> claims (dissoc :exp :iss :iat :aud :sub :sid))
+                 (or (some-> claims (dissoc :exp :iss :iat :aud :sid))
                     (fetch-user-info cfg provider tdata)))

        info   (process-user-info provider tdata info)]
--- a/backend/test/backend_tests/auth_oidc_test.clj
+++ b/backend/test/backend_tests/auth_oidc_test.clj
@ -0,0 +1,35 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.auth-oidc-test
+  (:require
+   [app.auth.oidc :as oidc]
+   [clojure.test :as t]))
+
+(def ^:private oidc-provider
+  {:id "oidc"
+   :type "oidc"})
+
+(t/deftest parse-attr-path-supports-dot-and-double-underscore
+  (t/is
+   (= [:oidc/resource-access :penpot_roles :roles]
+      (#'oidc/parse-attr-path oidc-provider "resource_access__penpot_roles__roles")))
+  (t/is
+   (= [:oidc/ocs :data :email]
+      (#'oidc/parse-attr-path oidc-provider "ocs.data.email"))))
+
+(t/deftest process-user-info-supports-dot-notation-nested-attrs
+  (let [provider (assoc oidc-provider
+                        :email-attr "ocs.data.email"
+                        :name-attr "ocs.data.display-name")
+        info     (#'oidc/process-user-info provider
+                                           {}
+                                           {:email_verified true
+                                            :ocs {:data {:email "nextcloud@example.com"
+                                                         :display-name "Nextcloud User"}}})]
+    (t/is (= "nextcloud@example.com" (:email info)))
+    (t/is (= "Nextcloud User" (:fullname info)))
+    (t/is (true? (:email-verified info)))))