From fe991d00bde001fe53e53c2d23f5ba6dae221536 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Fri, 3 Jan 2025 22:58:46 +0100
Subject: [PATCH 1/2] feat(auth): add env variable for
 oidc-name-attribute-overwrite

---
 packages/auth/env.mjs                         |  2 ++
 packages/auth/providers/oidc/oidc-provider.ts | 19 ++++++++++++++++---
 turbo.json                                    |  1 +
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/packages/auth/env.mjs b/packages/auth/env.mjs
index ebc4555df..9105ee776 100644
--- a/packages/auth/env.mjs
+++ b/packages/auth/env.mjs
@@ -74,6 +74,7 @@ export const env = createEnv({
           AUTH_OIDC_AUTO_LOGIN: booleanSchema,
           AUTH_OIDC_SCOPE_OVERWRITE: z.string().min(1).default("openid email profile groups"),
           AUTH_OIDC_GROUPS_ATTRIBUTE: z.string().default("groups"), // Is used in the signIn event to assign the correct groups, key is from object of decoded id_token
+          AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: z.string().optional(),
         }
       : {}),
     ...(authProviders.includes("ldap")
@@ -117,6 +118,7 @@ export const env = createEnv({
     AUTH_LDAP_USER_MAIL_ATTRIBUTE: process.env.AUTH_LDAP_USER_MAIL_ATTRIBUTE,
     AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG,
     AUTH_OIDC_AUTO_LOGIN: process.env.AUTH_OIDC_AUTO_LOGIN,
+    AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: process.env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE,
   },
   skipValidation,
 });
diff --git a/packages/auth/providers/oidc/oidc-provider.ts b/packages/auth/providers/oidc/oidc-provider.ts
index 406b13871..af17c7f43 100644
--- a/packages/auth/providers/oidc/oidc-provider.ts
+++ b/packages/auth/providers/oidc/oidc-provider.ts
@@ -9,7 +9,7 @@ interface Profile {
   name: string;
   email: string;
   groups: string[];
-  preferred_username: string;
+  preferred_username?: string;
   email_verified: boolean;
 }
 
@@ -28,12 +28,25 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
     },
   },
   profile(profile) {
+    const name = extractName(profile);
+    if (!name) {
+      throw new Error(`OIDC provider did not return a name properties='${Object.keys(profile).join(",")}'`);
+    }
+
     return {
       id: profile.sub,
-      // Use the name as the username if the preferred_username is an email address
-      name: profile.preferred_username.includes("@") ? profile.name : profile.preferred_username,
+      name,
       email: profile.email,
       provider: "oidc",
     };
   },
 });
+
+const extractName = (profile: Profile) => {
+  if (!env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE) {
+    // Use the name as the username if the preferred_username is an email address
+    return profile.preferred_username?.includes("@") ? profile.name : profile.preferred_username;
+  }
+
+  return profile[env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE as keyof typeof profile] as string;
+};
diff --git a/turbo.json b/turbo.json
index b3732c66e..e259bcb22 100644
--- a/turbo.json
+++ b/turbo.json
@@ -17,6 +17,7 @@
     "AUTH_OIDC_ISSUER",
     "AUTH_OIDC_SCOPE_OVERWRITE",
     "AUTH_OIDC_GROUPS_ATTRIBUTE",
+    "AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE",
     "AUTH_LDAP_USERNAME_ATTRIBUTE",
     "AUTH_LDAP_USER_MAIL_ATTRIBUTE",
     "AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG",

From ac31f9891e735ba052236fcd9d53b54539e55525 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Sat, 4 Jan 2025 15:52:38 +0100
Subject: [PATCH 2/2] fix: profile name extraction is also needed in signin
 event

---
 packages/auth/events.ts                       | 19 +++++++++++++------
 packages/auth/providers/oidc/oidc-provider.ts | 19 +++++++------------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/packages/auth/events.ts b/packages/auth/events.ts
index 92987e0cf..88e6aa512 100644
--- a/packages/auth/events.ts
+++ b/packages/auth/events.ts
@@ -9,6 +9,7 @@ import { colorSchemeCookieKey, everyoneGroup } from "@homarr/definitions";
 import { logger } from "@homarr/log";
 
 import { env } from "./env.mjs";
+import { extractProfileName } from "./providers/oidc/oidc-provider";
 
 export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["events"], undefined>["signIn"] => {
   return async ({ user, profile }) => {
@@ -43,12 +44,18 @@ export const createSignInEventHandler = (db: Database): Exclude<NextAuthConfig["
       );
     }
 
-    const profileUsername = profile?.preferred_username?.includes("@") ? profile.name : profile?.preferred_username;
-    if (profileUsername && dbUser.name !== profileUsername) {
-      await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));
-      logger.info(
-        `Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
-      );
+    if (profile) {
+      const profileUsername = extractProfileName(profile);
+      if (!profileUsername) {
+        throw new Error(`OIDC provider did not return a name properties='${Object.keys(profile).join(",")}'`);
+      }
+
+      if (dbUser.name !== profileUsername) {
+        await db.update(users).set({ name: profileUsername }).where(eq(users.id, user.id));
+        logger.info(
+          `Username for user of oidc provider has changed. user=${user.id} old='${dbUser.name}' new='${profileUsername}'`,
+        );
+      }
     }
 
     logger.info(`User '${dbUser.name}' logged in at ${dayjs().format()}`);
diff --git a/packages/auth/providers/oidc/oidc-provider.ts b/packages/auth/providers/oidc/oidc-provider.ts
index af17c7f43..5d4570564 100644
--- a/packages/auth/providers/oidc/oidc-provider.ts
+++ b/packages/auth/providers/oidc/oidc-provider.ts
@@ -1,18 +1,10 @@
 import type { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";
-import type { OIDCConfig } from "next-auth/providers";
+import type { OIDCConfig } from "@auth/core/providers";
+import type { Profile } from "@auth/core/types";
 
 import { env } from "../../env.mjs";
 import { createRedirectUri } from "../../redirect";
 
-interface Profile {
-  sub: string;
-  name: string;
-  email: string;
-  groups: string[];
-  preferred_username?: string;
-  email_verified: boolean;
-}
-
 export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profile> => ({
   id: "oidc",
   name: env.AUTH_OIDC_CLIENT_NAME,
@@ -28,7 +20,10 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
     },
   },
   profile(profile) {
-    const name = extractName(profile);
+    if (!profile.sub) {
+      throw new Error(`OIDC provider did not return a sub property='${Object.keys(profile).join(",")}'`);
+    }
+    const name = extractProfileName(profile);
     if (!name) {
       throw new Error(`OIDC provider did not return a name properties='${Object.keys(profile).join(",")}'`);
     }
@@ -42,7 +37,7 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
   },
 });
 
-const extractName = (profile: Profile) => {
+export const extractProfileName = (profile: Profile) => {
   if (!env.AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE) {
     // Use the name as the username if the preferred_username is an email address
     return profile.preferred_username?.includes("@") ? profile.name : profile.preferred_username;