From 4b90d2d0cf94df5f81a919902b8f8b55274e6b4d Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Fri, 19 Jul 2024 14:10:32 +0200
Subject: [PATCH] * Api/Auth/OpenIDConnect: allow to specify which JWT payload
 attribute to use and a regular expression to extract username from it

---
 api/src/Auth/Openidconnect.php     | 61 ++++++++++++++++++++----------
 setup/lang/egw_de.lang             |  3 ++
 setup/lang/egw_en.lang             |  4 ++
 setup/templates/default/config.tpl | 16 ++++++++
 4 files changed, 63 insertions(+), 21 deletions(-)

diff --git a/api/src/Auth/Openidconnect.php b/api/src/Auth/Openidconnect.php
index 784e41375a..fbb6b9a77b 100644
--- a/api/src/Auth/Openidconnect.php
+++ b/api/src/Auth/Openidconnect.php
@@ -44,32 +44,51 @@ class Openidconnect implements BackendSSO
 			//error_log(__METHOD__."() session_status()=".session_status().", _SESSION=".json_encode($_SESSION));
 			$this->client->authenticate();
 
-			$account_lid = $this->client->getVerifiedClaims('sub');
+			// use configured payload attribute / claim, defaulting to "sub"
+			$attribute = ($GLOBALS['egw_info']['server']['oic_username_attribute'] ?? 'sub');
+			if ($attribute === 'custom' && !empty($GLOBALS['egw_info']['server']['oic_username_custom']))
+			{
+				$attribute = $GLOBALS['egw_info']['server']['oic_username_custom'];
+			}
+			$account_lid = $this->client->getVerifiedClaims($attribute);
+			// extract username with regular expression, if configured and matching
+			if (!empty($GLOBALS['egw_info']['server']['oic_username_preg']) && preg_match($GLOBALS['egw_info']['server']['oic_username_preg'], $account_lid))
+			{
+				$account_lid = preg_replace($GLOBALS['egw_info']['server']['oic_username_preg'], '$1', $account_lid);
+			}
 			$accounts = Api\Accounts::getInstance();
 			if (!$accounts->name2id($account_lid, 'account_lid', 'u'))
 			{
-				// fail if auto-creation of authenticated users is NOT configured
-				if (empty($GLOBALS['egw_info']['server']['auto_create_acct']))
+				// for attribute="email" check, if we have user with given email
+				if ($attribute === 'email' && ($account_id = $accounts->name2id($account_lid, 'account_email', 'u')))
 				{
-					error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!");
-					$_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
-					return null;
+					$account_lid = Api\Accounts::id2name($account_id);
 				}
-				try {
-					$user_info = $this->client->requestUserInfo();
-					$GLOBALS['auto_create_acct'] = [
-						'firstname' => $user_info->given_name,
-						'lastname' => $user_info->family_name,
-						'email' => $user_info->email,
-						// not (yet) used supported keys
-						//'primary_group' => '',
-						//'add_group' => '',
-						//'account_id' => 0,
-					];
-				}
-				catch (OpenIDConnectClientException $e) {
-					// do NOT fail, if IdP does not support user-info
-					_egw_log_exception($e);
+				else
+				{
+					// fail if auto-creation of authenticated users is NOT configured
+					if (empty($GLOBALS['egw_info']['server']['auto_create_acct']))
+					{
+						error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!");
+						$_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
+						return null;
+					}
+					try {
+						$user_info = $this->client->requestUserInfo();
+						$GLOBALS['auto_create_acct'] = [
+							'firstname' => $user_info->given_name,
+							'lastname' => $user_info->family_name,
+							'email' => $user_info->email,
+							// not (yet) used supported keys
+							//'primary_group' => '',
+							//'add_group' => '',
+							//'account_id' => 0,
+						];
+					}
+					catch (OpenIDConnectClientException $e) {
+						// do NOT fail, if IdP does not support user-info
+						_egw_log_exception($e);
+					}
 				}
 			}
 			// return user session
diff --git a/setup/lang/egw_de.lang b/setup/lang/egw_de.lang
index f0c1484616..241d085515 100644
--- a/setup/lang/egw_de.lang
+++ b/setup/lang/egw_de.lang
@@ -218,6 +218,7 @@ current system-charset	setup	de	Aktueller Systemzeichensatz
 current system-charset is %1.	setup	de	Aktueller Systemzeichensatz ist %1.
 current version	setup	de	Gegenwärtige Version
 currently installed languages: %1 <br />	setup	de	Gegenwärtig installierte Sprachen: %1 <br>
+custom attribute	setup	de	Benutzerdefiniertes Attribute
 custom handler: %1	setup	de	Eigener Sitzunghandler: %1
 custom oid	setup	de	Benutzerdefinierte OID
 custom set via %1	setup	de	Benutzerdefiniert über "%1" gesetzt
@@ -486,6 +487,7 @@ multi-language support setup	setup	de	Mehr-Sprachen Unterstützung einrichten
 name for service provider	setup	de	Name des Service Provider / Dienstes
 name of database	setup	de	Name der Datenbank
 name of db user egroupware uses to connect	setup	de	Name des Datenbank-Benutzers den EGroupware verwendet
+name of jwt payload attribute for username	setup	de	Name des JWT Nutzdaten Attributes für den Benutzername
 needs extra configuration on dc and webserver!	setup	de	Benötigt extra Konfiguration auf Domain Controller und Webserver!
 never	setup	de	Niemals
 new	setup	de	Neu
@@ -540,6 +542,7 @@ path to user and group files has to be outside of the webservers document-root!!
 path to various directories: have to exist and be writeable by the webserver	setup	de	Pfade zu verschiedenen Verzeichnissen: Diese müssen vorhanden sein und vom Webserver beschreibbar
 pem certificate	setup	de	PEM Zertifikat
 periodic import from ads or ldap into egroupware database	setup	de	Periodischer Import von ADS oder LDAP in die EGroupware Datenbank
+perl regular expression to extract username	setup	de	Perl Regulärer Ausdruck um Benutzernamen to extrahieren
 persistent connections	setup	de	Permanente Verbindungen
 php client	setup	de	PHP Client
 php proxy	setup	de	PHP Proxy
diff --git a/setup/lang/egw_en.lang b/setup/lang/egw_en.lang
index 7f65c35960..96235e4f9b 100644
--- a/setup/lang/egw_en.lang
+++ b/setup/lang/egw_en.lang
@@ -218,6 +218,7 @@ current system-charset	setup	en	Current system charset
 current system-charset is %1.	setup	en	Current system charset is %1.
 current version	setup	en	Current version
 currently installed languages: %1 <br />	setup	en	Currently installed languages: %1<br>
+custom attribute	setup	en	custom attribute
 custom handler: %1	setup	en	Custom handler: %1
 custom oid	setup	en	custom OID
 custom set via %1	setup	en	Custom set via %1
@@ -486,6 +487,7 @@ multi-language support setup	setup	en	Multi language support setup
 name for service provider	setup	en	Name for Service Provider
 name of database	setup	en	Name of database
 name of db user egroupware uses to connect	setup	en	Name of db user EGroupware uses to connect
+name of jwt payload attribute for username	setup	en	Name of JWT payload attribute for username
 needs extra configuration on dc and webserver!	setup	en	Needs extra configuration on DC and webserver!
 never	setup	en	Never
 new	setup	en	New
@@ -519,6 +521,7 @@ one month	setup	en	One month
 one week	setup	en	One week
 only add languages that are not in the database already	setup	en	Only add languages that are not in the database already
 only add new phrases	setup	en	Only add new phrases
+openidconnect login	setup	en	OpenIDConnect Login
 optional, if only authentication and anonymous search is enabled	setup	en	optional, if only authentication AND anonymous search is enabled
 or	setup	en	or
 or %1continue to the header admin%2	setup	en	or %1Continue to the Header Admin%2
@@ -540,6 +543,7 @@ path to user and group files has to be outside of the webservers document-root!!
 path to various directories: have to exist and be writeable by the webserver	setup	en	Path to various directories: have to exist and be writable by the web server
 pem certificate	setup	en	PEM certificate
 periodic import from ads or ldap into egroupware database	setup	en	Periodic import from ADS or LDAP into EGroupware database
+perl regular expression to extract username	setup	en	Perl regular expression to extract username
 persistent connections	setup	en	Persistent connections
 php client	setup	en	PHP client
 php proxy	setup	en	PHP proxy
diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl
index 8f33cdec44..c673c5669a 100644
--- a/setup/templates/default/config.tpl
+++ b/setup/templates/default/config.tpl
@@ -493,6 +493,22 @@
      <td>{lang_Client_secret}:</td>
      <td><input type="password" name="newsettings[oic_client_secret]" value="{value_oic_client_secret}" size="40" /></td>
    </tr>
+   <tr class="row_on">
+      <td>{lang_Name_of_JWT_payload_attribute_for_username}:</td>
+      <td>
+        <select name="newsettings[oic_username_attribute]">
+          <option value="sub"{selected_oic_username_sub}>sub ({lang_default})</option>
+          <option value="prefered_username"{selected_oic_username_prefered_username}>prefered_username</option>
+          <option value="email"{selected_oic_username_email}>email</option>
+          <option value="custom"{selected_oic_username_custom}>{lang_custom_attribute}</option>
+        </select>
+        <input name="newsettings[oic_username_custom]" value="{value_oic_username_custom}" size="40" placeholder="{lang_custom_attribute}"/>
+      </td>
+   </tr>
+   <tr class="row_off">
+      <td>{lang_Perl_regular_expression_to_extract_username}</td>
+      <td><input name="newsettings[oic_username_preg]" value="{value_oic_username_preg}" size="40" placeholder="/^(.*)$/"/></td>
+   </tr>
 
    <tr class="row_off">
     <td colspan="2">&nbsp;</td>