IDToken: Add current user's Username and UID to the ID token (#90240)

* Set claims.Rest.Login from the IDService * Add UID to the ID token
2025-02-25 18:55:37 -06:00 · 2024-07-11 14:25:30 +02:00
parent b75276c641
commit 69c5fa8361
5 changed files with 23 additions and 4 deletions
--- a/pkg/services/auth/idimpl/service.go
+++ b/pkg/services/auth/idimpl/service.go
@@ -96,6 +96,8 @@ func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (stri
 			claims.Rest.Email = id.GetEmail()
 			claims.Rest.EmailVerified = id.IsEmailVerified()
 			claims.Rest.AuthenticatedBy = id.GetAuthenticatedBy()
+			claims.Rest.Username = id.GetLogin()
+			claims.Rest.UID = id.GetUID().String()
 		}

 		token, err := s.signer.SignIDToken(ctx, claims)
--- a/pkg/services/auth/idimpl/service_test.go
+++ b/pkg/services/auth/idimpl/service_test.go
@@ -63,7 +63,7 @@ func TestService_SignIdentity(t *testing.T) {
 		},
 	}

-	t.Run("should sing identity", func(t *testing.T) {
+	t.Run("should sign identity", func(t *testing.T) {
 		s := ProvideService(
 			setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
 			featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding),
@@ -74,13 +74,17 @@ func TestService_SignIdentity(t *testing.T) {
 		require.NotEmpty(t, token)
 	})

-	t.Run("should sing identity with authenticated by if user is externally authenticated", func(t *testing.T) {
+	t.Run("should sign identity with authenticated by if user is externally authenticated", func(t *testing.T) {
 		s := ProvideService(
 			setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
 			featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding),
 			&authntest.FakeService{}, nil,
 		)
-		token, err := s.SignIdentity(context.Background(), &authn.Identity{ID: authn.MustParseNamespaceID("user:1"), AuthenticatedBy: login.AzureADAuthModule})
+		token, err := s.SignIdentity(context.Background(), &authn.Identity{
+			ID:              authn.MustParseNamespaceID("user:1"),
+			AuthenticatedBy: login.AzureADAuthModule,
+			Login:           "U1",
+			UID:             authn.NewNamespaceIDString(authn.NamespaceUser, "edpu3nnt61se8e")})
 		require.NoError(t, err)

 		parsed, err := jwt.ParseSigned(token)
@@ -89,5 +93,7 @@ func TestService_SignIdentity(t *testing.T) {
 		claims := &auth.IDClaims{}
 		require.NoError(t, parsed.UnsafeClaimsWithoutVerification(&claims.Claims, &claims.Rest))
 		assert.Equal(t, login.AzureADAuthModule, claims.Rest.AuthenticatedBy)
+		assert.Equal(t, "U1", claims.Rest.Username)
+		assert.Equal(t, "user:edpu3nnt61se8e", claims.Rest.UID)
 	})
 }