feat(auth): add env variable for oidc-name-attribute-overwrite (#1850)

2026-02-26 16:30:57 +01:00 · 2025-01-04 21:49:33 +01:00
parent 1f0116d725
commit c349bf8371
4 changed files with 36 additions and 18 deletions
--- a/packages/auth/env.mjs
+++ b/packages/auth/env.mjs
@@ -74,6 +74,7 @@ export const env = createEnv({
          AUTH_OIDC_AUTO_LOGIN: booleanSchema,
          AUTH_OIDC_SCOPE_OVERWRITE: z.string().min(1).default("openid email profile groups"),
          AUTH_OIDC_GROUPS_ATTRIBUTE: z.string().default("groups"), // Is used in the signIn event to assign the correct groups, key is from object of decoded id_token
+          AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: z.string().optional(),
        }
      : {}),
    ...(authProviders.includes("ldap")
@@ -117,6 +118,7 @@ export const env = createEnv({
    AUTH_LDAP_USER_MAIL_ATTRIBUTE: process.env.AUTH_LDAP_USER_MAIL_ATTRIBUTE,
    AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG,
    AUTH_OIDC_AUTO_LOGIN: process.env.AUTH_OIDC_AUTO_LOGIN,
+    AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: process.env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE,
  },
  skipValidation,
 });
--- a/packages/auth/events.ts
+++ b/packages/auth/events.ts
@@ -9,6 +9,7 @@ import { colorSchemeCookieKey, everyoneGroup } from "@homarr/definitions";
 import { logger } from "@homarr/log";

 import { env } from "./env.mjs";
+import { extractProfileName } from "./providers/oidc/oidc-provider";

 export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["events"], undefined>["signIn"] => {
  return async ({ user, profile }) => {
@@ -43,12 +44,18 @@ export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["
      );
    }

-    const profileUsername = profile?.preferred_username?.includes("@") ? profile.name : profile?.preferred_username;
-    if (profileUsername && dbUser.name !== profileUsername) {
-      await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));
-      logger.info(
-        `Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
-      );
+    if (profile) {
+      const profileUsername = extractProfileName(profile);
+      if (!profileUsername) {
+        throw new Error(`OIDC provider did not return a name properties='${Object.keys(profile).join(",")}'`);
+      }
+
+      if (dbUser.name !== profileUsername) {
+        await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));
+        logger.info(
+          `Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
+        );
+      }
    }

    logger.info(`User '${dbUser.name}' logged in at ${dayjs().format()}`);
--- a/packages/auth/providers/oidc/oidc-provider.ts
+++ b/packages/auth/providers/oidc/oidc-provider.ts
@@ -1,18 +1,10 @@
 import type { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";
-import type { OIDCConfig } from "next-auth/providers";
+import type { OIDCConfig } from "@auth/core/providers";
+import type { Profile } from "@auth/core/types";

 import { env } from "../../env.mjs";
 import { createRedirectUri } from "../../redirect";

-interface Profile {
-  sub: string;
-  name: string;
-  email: string;
-  groups: string[];
-  preferred_username: string;
-  email_verified: boolean;
-}
-
 export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profile> => ({
  id: "oidc",
  name: env.AUTH_OIDC_CLIENT_NAME,
@@ -28,12 +20,28 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
    },
  },
  profile(profile) {
+    if (!profile.sub) {
+      throw new Error(`OIDC provider did not return a sub property='${Object.keys(profile).join(",")}'`);
+    }
+    const name = extractProfileName(profile);
+    if (!name) {
+      throw new Error(`OIDC provider did not return a name properties='${Object.keys(profile).join(",")}'`);
+    }
+
    return {
      id: profile.sub,
-      // Use the name as the username if the preferred_username is an email address
-      name: profile.preferred_username.includes("@") ? profile.name : profile.preferred_username,
+      name,
      email: profile.email,
      provider: "oidc",
    };
  },
 });
+
+export const extractProfileName = (profile: Profile) => {
+  if (!env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE) {
+    // Use the name as the username if the preferred_username is an email address
+    return profile.preferred_username?.includes("@") ? profile.name : profile.preferred_username;
+  }
+
+  return profile[env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE as keyof typeof profile] as string;
+};
--- a/turbo.json
+++ b/turbo.json
@@ -17,6 +17,7 @@
    "AUTH_OIDC_ISSUER",
    "AUTH_OIDC_SCOPE_OVERWRITE",
    "AUTH_OIDC_GROUPS_ATTRIBUTE",
+    "AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE",
    "AUTH_LDAP_USERNAME_ATTRIBUTE",
    "AUTH_LDAP_USER_MAIL_ATTRIBUTE",
    "AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG",