Merge pull request #47296 from Postremus/issues/47284-no-double-append-email-oidc-dev

Do not append email suffix if already present in oidc dev service

Author: sberyozkin

extensions/devservices/oidc/src/main/java/io/quarkus/devservices/oidc/OidcDevServicesProcessor.java

@@ -714,9 +714,9 @@ private static String createIdToken(String user, Set<String> roles, String clien
                 .audience(clientId)
                 .subject(user)
                 .upn(user)
-                .claim("name", capitalize(user))
-                .claim(Claims.preferred_username, user + "@example.com")
-                .claim(Claims.email, user + "@example.com")
+                .claim("name", buildNameClaimValue(user))
+                .claim(Claims.preferred_username, buildEmailClaimValue(user))
+                .claim(Claims.email, buildEmailClaimValue(user))
                 .groups(roles)
                 .jws()
                 .keyId(kid)
@@ -731,15 +731,29 @@ private static String createAccessToken(String user, Set<String> roles, Set<Stri
                 .subject(user)
                 .scope(scope)
                 .upn(user)
-                .claim("name", capitalize(user))
-                .claim(Claims.preferred_username, user + "@example.com")
-                .claim(Claims.email, user + "@example.com")
+                .claim("name", buildNameClaimValue(user))
+                .claim(Claims.preferred_username, buildEmailClaimValue(user))
+                .claim(Claims.email, buildEmailClaimValue(user))
                 .groups(roles)
                 .jws()
                 .keyId(kid)
                 .sign(kp.getPrivate());
     }
 
+    private static String buildNameClaimValue(String user) {
+        if (user.contains("@")) {
+            return capitalize(user.split("@")[0]);
+        }
+        return capitalize(user);
+    }
+
+    private static String buildEmailClaimValue(String user) {
+        if (user.contains("@")) {
+            return user;
+        }
+        return user + "@example.com";
+    }
+
     /*
      * {"kty":"RSA",
      * "use":"sig",
@@ -801,13 +815,13 @@ private static void userInfo(RoutingContext rc) {
                         {
                             "preferred_username": "%1$s",
                             "sub": "%2$s",
-                            "name": "%2$s",
-                            "family_name": "%2$s",
-                            "given_name": "%2$s",
-                            "email": "%3$s"
+                            "name": "%3$s",
+                            "family_name": "%3$s",
+                            "given_name": "%3$s",
+                            "email": "%4$s"
                         }
                         """.formatted(claims.getString(Claims.preferred_username.name()),
-                        claims.getString(Claims.sub.name()), claims.getString(Claims.email.name()));
+                        claims.getString(Claims.sub.name()), claims.getString("name"), claims.getString(Claims.email.name()));
                 rc.response()
                         .putHeader("Content-Type", "application/json")
                         .endAndForget(data);

integration-tests/oidc-dev-services/src/main/java/io/quarkus/it/oidc/dev/services/SecuredResource.java

@@ -44,7 +44,7 @@ public String getAdminOnly() {
     @GET
     @Path("user-only")
     public String getUserOnly() {
-        return userInfo.getPreferredUserName() + " " + securityIdentity.getRoles();
+        return userInfo.getPreferredUserName() + " " + securityIdentity.getRoles() + " " + userInfo.getName();
     }
 
     @GET

integration-tests/oidc-dev-services/src/test/java/io/quarkus/it/oidc/dev/services/BearerAuthenticationOidcDevServicesTest.java

@@ -49,7 +49,7 @@ public void testLoginAsAlice() {
                 .get("/secured/user-only")
                 .then()
                 .statusCode(200)
-                .body(Matchers.containsString("alice"))
+                .body(Matchers.startsWith("alice@example.com "))
                 .body(Matchers.containsString("admin"))
                 .body(Matchers.containsString("user"));
     }
@@ -66,10 +66,31 @@ public void testLoginAsBob() {
                 .get("/secured/user-only")
                 .then()
                 .statusCode(200)
-                .body(Matchers.containsString("bob"))
+                .body(Matchers.startsWith("bob@example.com "))
                 .body(Matchers.containsString("user"));
     }
 
+    @Test
+    void testEmailAndName() {
+        // test users get an @example.com appended if username is not an email address
+        RestAssured.given()
+                .auth().oauth2(getAccessToken("bob"))
+                .get("/secured/user-only")
+                .then()
+                .statusCode(200)
+                .body(Matchers.startsWith("[email protected] "))
+                .body(Matchers.containsString(" Bob"));
+
+        // Test no additional @example.com is appended if requested username is likely already an email address
+        RestAssured.given()
+                .auth().oauth2(getAccessToken("[email protected]"))
+                .get("/secured/user-only")
+                .then()
+                .statusCode(200)
+                .body(Matchers.startsWith("[email protected] "))
+                .body(Matchers.containsString(" Bob"));
+    }
+
     private String getAccessToken(String user) {
         return oidcTestClient.getAccessToken(user, user);
     }