oidc provider assumes username or email claim exists and is stable, VP should use `sub`

[rhansen]

When oauth.provider is set to oidc, Vouch assumes that either username or email exists in the UserInfo response. If neither exists (as is the case with GitLab when scope=openid), structs.User.Username is the empty string and the /validate endpoint fails with "no User found in jwt".

Furthermore, the username (or email) claim is used as a unique identifier for the user (e.g., in the user whitelist). This is forbidden by section 5.7 of the core spec: "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, [...] other Claims such as email, phone_number, and preferred_username MUST NOT be used as unique identifiers for the End-User."

[bnfinet]

@rhansen Thanks for opening this issue.

There has been talk from time to time of moving to sub and it's clearly the right choice.

I know you've tested the PR against gitlab, have you had an opportunity to test any other providers?

[rhansen]

I know you've tested the PR against gitlab, have you had an opportunity to test any other providers?

No, I have not.

[bnfinet]

@rhansen sorry for the delay in reviewing this PR

Unfortunately #310 breaks github support. All of the GetUserInfo calls should be audited for each provider to ensure that User.Sub is populated. Are you able to support such an effort?

[bnfinet]

@rhansen I've added the Sub adjustment for github and a rudimentary fix in structs.PrepareUserData but it should still be looked at a bit closer IMHO.

[UberKitten]

I noticed this issue today when playing around with authenticating guest users in Azure AD through OIDC. In AAD guest users are not in the directory themselves, just authorized to log in to the directory with an external email. The user info has sub and email but no username so it fails.

[bnfinet]

@UberKitten that sounds like #314

[UberKitten]

@bnfinet Ah yes, it is. I've been getting the "no User found in jwt" error but that's the root cause. Thanks!

[rissson]

I ran against this problem too. I need this fix, because I need to have multiple domains in vouch.domains. Unfortunately not all my users have an email address in those domains and thus get denied login.

[bnfinet]

@rissson have you tried 'allowAllUsers' config item?