Added configurable user identification logic:

- Introduced new properties to differentiate identification by `email` or `workdayId`. - Updated `SecurityConfig` to handle claims dynamically based on `application.properties` configuration.
2025-11-07 09:13:01 +01:00 · 2025-11-07 09:13:01 +01:00 · a28a14d1d3
commit a28a14d1d3
parent ae10417c44
2 changed files with 40 additions and 46 deletions
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@ -47,7 +47,10 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.OncePerRequestFilter;

 import java.io.IOException;
-import java.util.*;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 import java.util.function.Supplier;


@ -62,6 +65,18 @@ public class SecurityConfig {
    @Value("${lcc.allowed_oauth_token_cors:*}") // Default: alle Origins
    private String oauthTokenCors;

+    @Value("${lcc.auth.identify.by}")
+    private String identifyBy;
+
+    @Value("${lcc.auth.claim.workday}")
+    private String workdayClaim;
+
+    @Value("${lcc.auth.claim.email}")
+    private String emailClaim;
+
+    @Value("${lcc.auth.claim.ignore.workday}")
+    private boolean ignoreWorkdayClaim;
+

    @Bean
    @Profile("!dev & !test")  // Only active when NOT in dev profile
@ -253,57 +268,31 @@ public class SecurityConfig {

            User user = null;

-            String workdayId = oidcUser.getAttribute("employeeid");
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("extension_WorkdayID");
-            }
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("workdayWorkerID");
-            }
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("onpremisesimmutableid");
-            }
-            if (workdayId == null) {
-                // Check for any extension attribute containing "workday"
-                Map<String, Object> claims = oidcUser.getIdToken().getClaims();
-                workdayId = claims.entrySet().stream()
-                        .filter(e -> e.getKey().toLowerCase().contains("workday"))
-                        .map(e -> String.valueOf(e.getValue()))
-                        .findFirst()
-                        .orElse(null);
-            }
-
-            // Try different ways to get email
-            String email = oidcUser.getEmail();
-            if (email == null) {
-                email = oidcUser.getAttribute("email");
-            }
-            if (email == null) {
-                email = oidcUser.getAttribute("upn");
-            }
-            if (email == null) {
-                email = oidcUser.getAttribute("preferred_username");
-            }
+            String workdayId = oidcUser.getAttribute(workdayClaim);
+            String email = oidcUser.getAttribute(emailClaim);


-            if (workdayId != null) {
-                user = userRepository.getByWorkdayId(workdayId);
-                if (user != null) {
-                    user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
-                    userId = user.getId();
-                }
-            } else if (email != null) {
+            if (identifyBy.equals("email") && email != null && !email.isEmpty()) {
+                log.debug("Fetch user by email {}", email);
                user = userRepository.getByEmail(email);
-                if (user != null) {
-                    user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
-                    userId = user.getId();
-                }
+
+            } else if (identifyBy.equals("workday") && workdayId != null && !workdayId.isEmpty()) {
+                log.debug("Fetch user by workday id {}", workdayId);
+                user = userRepository.getByWorkdayId(workdayId);
            }

-            if (user == null) {
+            if (user != null) {
+                user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
+                userId = user.getId();
+            }
+
+            if (user == null && email != null && (ignoreWorkdayClaim || workdayId != null)) {
                var isFirstUser = userRepository.count() == 0;
-                userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), workdayId, isFirstUser));
+                userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), ignoreWorkdayClaim ? email : workdayId, isFirstUser));
                mappedAuthorities.add(new SimpleGrantedAuthority(isFirstUser ? "ROLE_SERVICE" : "ROLE_NONE"));
+            } else {
+                log.debug("Unable to create user {} / {}", email, workdayId);
+                mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_NONE"));
            }


--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -26,4 +26,9 @@ lcc.allowed_cors=
 lcc.allowed_oauth_token_cors=*

 logging.level.org.springframework.ws=DEBUG
-logging.level.org.springframework.oxm=DEBUG
+logging.level.org.springframework.oxm=DEBUG
+
+lcc.auth.identify.by=workday
+lcc.auth.claim.workday=employeeid
+lcc.auth.claim.email=preferred_username
+lcc.auth.claim.ignore.workday=false