Problem:
When using Casdoor as an OpenID provider, there's an inconsistency between the user information in the JWT token and the UserInfo endpoint. The token contains the user's unique ID in the `name` field, while the UserInfo endpoint correctly returns the user's display name.
Solution:
This PR adds a new `ForceUserInfo` option to the OpenID provider configuration. When enabled, it forces the use of the UserInfo endpoint to retrieve user information instead of relying on claims from the ID token.
Impact:
- Default behavior remains unchanged (backward compatible)
- New option allows administrators to force using UserInfo endpoint data
- Particularly useful for providers like Casdoor that don't fully comply with OIDC standards
Related:
I've opened an issue in the Casdoor repository (https://github.com/casdoor/casdoor/issues/3806) to discuss the root cause. However, changing Casdoor's token structure might cause significant compatibility issues for existing integrations, so it's unclear if this can be fixed at the provider level. This PR provides a workaround in Vikunja that doesn't affect existing functionality.
The config values for openid providers now use a map with the provider as key instead of an array. For example before:
auth:
openid:
providers:
- name: foo
clientid: ...
now becomes:
auth:
openid:
providers:
foo:
clientid: ...
This allows us to read values for openid providers from files using the same syntax as everywhere and makes the configuration more predictable. It also allows configuring providers through env variables, though it is still required to set at least one value via the config file because Vikunja won't discover the provider otherwise.
Add config docs
Lint
Move provider-related stuff to separate file
Refactor getting auth providers
Fix tests
Fix user tests
Fix openid tests
Add swagger docs
Fix lint
Fix lint issues
Fix checking if the user already exists
Make sure to create a new namespace for new users
Docs
Add tests for openid
Remove unnessecary err check
Consistently return nil users if creating a new user failed
Move sending confirmation email to separate function
Better variable names
Move checks to separate functions
Refactor creating user into seperate file
Fix creating new local users
Test creating new users from different issuers
Generate a random username right away if no preferred username has been given
Add todo
Cache openid providers
Add getting int clientids
Fix migration
Move creating tokens to auth package
Add getting or creating a third party user
Add parsing claims
Add retreiving auth tokens
Add token callback from openid package
Add check for provider key
Add routes
Start adding openid auth handler
Add config for openid auth
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/713
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
