OIDC: Ability to specify external_id claim #3914
Description
Describe the feature you'd like
The ability to specify the OIDC claim which is used to map users via external auth would be useful for migrations from other auth systems.
I'm trying to convert from AUTH_AZUREAD to OIDC and the mapping of external_id statically to sub is problematic.
As this value appears to be opaque in Azure AD and difficult to retrieve in bulk. The process of moving users from AUTH_AZUREAD would be difficult. I'd like to set the external_id value to something like UPN which would allow me to bulk-update users and have aseamless migraiton.
Describe the benefits this would bring to existing BookStack users
Easier migration of users from other auth systems to OIDC. Consistency with SAML2_EXTERNAL_ID_ATTRIBUTE
Can the goal of this request already be achieved via other means?
Not as far as I know.
Have you searched for an existing open/closed issue?
- I have searched for existing issues and none cover my fundemental request
How long have you been using BookStack?
1 to 5 years
Additional context
Hacky POC patch which wuld allow me to link on UPN
diff --git a/app/Auth/Access/Oidc/OidcService.php b/app/Auth/Access/Oidc/OidcService.php
index b8e017b4..14577c1e 100644
--- a/app/Auth/Access/Oidc/OidcService.php
+++ b/app/Auth/Access/Oidc/OidcService.php
@@ -151,7 +151,7 @@ class OidcService
$id = $token->getClaim('sub');
return [
- 'external_id' => $id,
+ 'external_id' => $token->getClaim('upn'),
'email' => $token->getClaim('email'),
'name' => $this->getUserDisplayName($token, $id),
];