openid: allow arbitrary username-claims

[pve-access-control.git] / src / PVE / API2 / OpenId.pm

diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 4fc0be838c26d357700124c50a6173e361b6f5bd..c5bd736fddb52035a8c22d3b0c3aea7e310eac64 100644 (file)
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -165,22 +165,19 @@ __PACKAGE__->register_method ({
            my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
            my $subject = $info->{'sub'};
 
-           die "missing openid claim 'sub'\n" if !defined($subject);
-
-           my $unique_name = $subject; # default
+           my $unique_name;
            if (defined(my $user_attr = $config->{'username-claim'})) {
-               if ($user_attr eq 'subject') {
+               if (defined($info->{$user_attr})) {
+                   $unique_name = $info->{$user_attr};
+               } elsif ($user_attr eq 'subject') { # stay compat with old versions
                    $unique_name = $subject;
-               } elsif ($user_attr eq 'username') {
+               } elsif ($user_attr eq 'username') { # stay compat with old versions
                    my $username = $info->{'preferred_username'};
                    die "missing claim 'preferred_username'\n" if !defined($username);
                    $unique_name =  $username;
-               } elsif ($user_attr eq 'email') {
-                   my $email = $info->{'email'};
-                   die "missing claim 'email'\n" if !defined($email);
-                   $unique_name = $email;
                } else {
-                   die "got unexpected value for 'username-claim': '${user_attr}'\n";
+                   # neither the attr nor fallback are defined in info..
+                   die "missing configured claim '$user_attr'\n";
                }
            }