From 90606092ed8468a070c4016331002d7382997c7e Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Wed, 16 Apr 2025 17:26:12 +0200
Subject: [PATCH] OIDC: Add configurable user id (between sub and
 preferred_username)

---
 crates/frontend/src/config.rs   | 12 ++++++++++++
 crates/frontend/src/oidc/mod.rs | 16 +++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/crates/frontend/src/config.rs b/crates/frontend/src/config.rs
index f709c82..6d0d22e 100644
--- a/crates/frontend/src/config.rs
+++ b/crates/frontend/src/config.rs
@@ -5,6 +5,16 @@ fn default_true() -> bool {
     true
 }
 
+#[derive(Deserialize, Serialize, Clone, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum UserIdClaim {
+    // The correct option
+    Sub,
+    // The more ergonomic option if you know what you're doing
+    #[default]
+    PreferredUsername,
+}
+
 #[derive(Deserialize, Serialize, Clone)]
 #[serde(deny_unknown_fields)]
 pub struct OidcConfig {
@@ -15,6 +25,8 @@ pub struct OidcConfig {
     pub scopes: Vec<Scope>,
     pub allow_sign_up: bool,
     pub require_group: Option<String>,
+    #[serde(default)]
+    pub userid_claim: UserIdClaim,
 }
 
 #[derive(Deserialize, Serialize, Clone)]
diff --git a/crates/frontend/src/oidc/mod.rs b/crates/frontend/src/oidc/mod.rs
index a92dca6..259ca26 100644
--- a/crates/frontend/src/oidc/mod.rs
+++ b/crates/frontend/src/oidc/mod.rs
@@ -1,4 +1,7 @@
-use crate::{FrontendConfig, config::OidcConfig};
+use crate::{
+    FrontendConfig,
+    config::{OidcConfig, UserIdClaim},
+};
 use actix_session::Session;
 use actix_web::{
     HttpRequest, HttpResponse, Responder,
@@ -194,10 +197,13 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
         }
     }
 
-    let user_id = user_info_claims
-        .preferred_username()
-        .ok_or(OidcError::Other("Missing preferred_username claim"))?
-        .to_string();
+    let user_id = match oidc_config.userid_claim {
+        UserIdClaim::Sub => user_info_claims.subject().to_string(),
+        UserIdClaim::PreferredUsername => user_info_claims
+            .preferred_username()
+            .ok_or(OidcError::Other("Missing preferred_username claim"))?
+            .to_string(),
+    };
 
     let mut user = auth_provider.get_principal(&user_id).await?;
     if user.is_none() {