serlo/local-dev-env

kratos: generate minor token in jsonnet and append to username registered from SSO

Closed this issue · 3 comments

hugotiburtino commented

If users come from OIDC provider, they may have same username as an already existing one (v.g. Peter) at serlo.
It would avoid the user to register and therefore to login at serlo.
It's quite common to append a minor token at such cases like 'Peter-12klk2'.

Create a simple function at https://github.com/serlo/local-dev-env/blob/main/kratos/data_mapper.jsonnet for generating such token.

See https://jsonnet.org/

AndreasHuber commented

Some thoughts:

  • While the preferred username given by the NBP may be the NBP username and therefore unique, we currently do not know for sure this is the case.
  • jsonnet functions are intended to be pure functions without any side effects, so no IO to query Kratos if a username already exists for example. The standard library has no function to create a random string or calculate a hash for the token. Eventually, it may be possible to define an external library for this but seems against what jsonnet is intended for
  • To make sure a preferred username does not clash with a Serlo username, a first idea was including a character that is not allowed in Serlo usernames. like '.' or '/' but it seems like Kratos refuses this and then the user is forwarded to sign up on Serlo as normal.
  • The idea with the token was observed from social networks that automatically give people a username made unique by an appended token, though it may not 100% guarantee no name clash with existing usernames for our SSO. A first look made it seem like there is not one single way that everyone solves the task of unique usernames with SSO that we could also take.
  • The exact solution probably depends on the provided info with the SSO claims which we don't know yet; but can work on understanding the technical limitations or options of jsonnet/Kratos properly.
hugotiburtino commented

After some reflexion, I have two solutions now:

  1. We stick to the idea of appending a token to the user name, just use the claim "issued at" (iat) for it: something like 'Peter-1680090710189', it should guarantee that the username is unique. Downside: if the user gets more active in serlo, they may be bothered with such a ugly name, we have to implement the feature of changing username soon.
  2. we just don't append anything and let the user decide what username they want in case of username clash. We have to trust that Kratos is going to work properly, redirecting the user to the registration form, improve the error message, and the user may complete the registration form with a new username.

I think now that 2 is the best solution.
Anyway, let's wait for more information from our partner before going on with this issue.

hugotiburtino commented

outdated since we got conflicting info from stakeholder (we won't get any username from oidc provider).