Allow using a separate claim as name

Question

Allow using a separate claim as name

Closed this issue 2 years ago · 2 comments

Right now it seems the plugin does use sonar.auth.oidc.loginStrategy for both the login and name of a user (so in my case here in GitHub it would be mfriedenhagen both times).
It would be great if one could provide another claim for name, maybe even a claim combination (${given_name} ${family_name})

Answer 1 · 2022-07-27T19:21:21.000Z

Right now it seems the plugin does use sonar.auth.oidc.loginStrategy for both the login and name of a user (so in my case here in GitHub it would be mfriedenhagen both times).

For a sonar.auth.oidc.loginStrategy of Preferred username the login and name are the same (the preferred username) if the identity provider is not providing the claim name or the provided claims name and preferred_username are identical. Further details can be found here.

Which identity provider are you using? Is there any chance you can provide a SonarQube web.log with sonar.log.level.web set to DEBUGas described here?

It would be great if one could provide another claim for name, maybe even a claim combination (${given_name} ${family_name})

This kind of claim mapping is expected to be done by the identity provider, e.g. like Keycloak does with it's OIDC token and SAML assertion mappings.

There must be a reason why your identity provider is not providing the claim name according to the OIDC spec (... name | string | End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. ...).

Answer 2 · 2022-07-27T19:57:25.000Z

Thanks for the quick answer and the links. The IdP I use is developed in-house, I will talk about this problem with the team in charge and refer them to the spec you referenced.