Allow OIDC username attribute to be customizable

desktop/conf.dist/hue.ini

@@ -758,6 +758,10 @@
     # Create a new user from OpenID Connect on login if it doesn't exist
     ## create_users_on_login=true
 
+    # When creating a new user, which 'claims' attribute from the OIDC provider to be used for creating the username.
+    #      Default to 'preferred_username'. Possible values include: 'email'
+    ## oidc_username_attribute=preferred_username
+
     # The group of users will be created and updated as superuser. To use this feature, setup in Keycloak:
     # 1. add the name of the group here
     # 2. in Keycloak, go to your_realm --> your_clients --> Mappers, add a mapper

desktop/conf/pseudo-distributed.ini.tmpl

@@ -760,6 +760,10 @@
     # Create a new user from OpenID Connect on login if it doesn't exist
     ## create_users_on_login=true
 
+    # When creating a new user, which 'claims' attribute from the OIDC provider to be used for creating the username.
+    #      Default to 'preferred_username'. Possible values include: 'email'
+    ## oidc_username_attribute=preferred_username
+
     # The group of users will be created and updated as superuser. To use this feature, setup in Keycloak:
     # 1. add the name of the group here
     # 2. in Keycloak, go to your_realm --> your_clients --> Mappers, add a mapper

desktop/core/src/desktop/auth/backend.py

@@ -684,7 +684,7 @@ def authenticate(self, **kwargs):
     return None
 
   def filter_users_by_claims(self, claims):
-    username = claims.get('preferred_username')
+    username = claims.get(import_from_settings('OIDC_USERNAME_ATTRIBUTE', 'preferred_username'))
     if not username:
       return self.UserModel.objects.none()
     return self.UserModel.objects.filter(username__iexact=username)
@@ -699,7 +699,7 @@ def create_user(self, claims):
     """Return object for a newly created user account."""
     # Overriding lib's logic, use preferred_username from oidc as username
 
-    username = claims.get('preferred_username', '')
+    username = claims.get(import_from_settings('OIDC_USERNAME_ATTRIBUTE', 'preferred_username'), '')
     email = claims.get('email', '')
     first_name = claims.get('given_name', '')
     last_name = claims.get('family_name', '')

desktop/core/src/desktop/conf.py

@@ -1416,6 +1416,13 @@ def get_deprecated_login_lock_out_by_combination_browser_user_agent():
       default=True
     ),
 
+    OIDC_USERNAME_ATTRIBUTE=Config(
+      key="oidc_username_attribute",
+      help=_("The attribute to be used as username when creating and looking up the user."),
+      type=str,
+      default="preferred_username"
+    ),
+
     SUPERUSER_GROUP=Config(
       key="superuser_group",
       help=_("The group of users will be created and updated as superuser."),

desktop/core/src/desktop/settings.py

@@ -504,6 +504,7 @@ def is_oidc_configured():
   OIDC_STORE_ID_TOKEN = True
   OIDC_STORE_REFRESH_TOKEN = True
   OIDC_CREATE_USER = desktop.conf.OIDC.CREATE_USERS_ON_LOGIN.get()
+  OIDC_USERNAME_ATTRIBUTE = desktop.conf.OIDC.OIDC_USERNAME_ATTRIBUTE.get()
 
 # OAuth
 OAUTH_AUTHENTICATION='liboauth.backend.OAuthBackend' in AUTHENTICATION_BACKENDS