Merge pull request #25 from neondatabase/dsavelev/use-email-as-id

Use user's email as ID as a fallback for Vercel auth.
neondatabase · Oct 4, 2024 · f60e4e8 · f60e4e8
2 parents 0c40275 + 58be02a
commit f60e4e8
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/src/main/java/vercel/VercelMPIdentityProvider.java b/src/main/java/vercel/VercelMPIdentityProvider.java
@@ -40,6 +40,7 @@
 
 public class VercelMPIdentityProvider extends OIDCIdentityProvider implements SocialIdentityProvider<OIDCIdentityProviderConfig> {
     private static final String BROKER_NONCE_PARAM = "BROKER_NONCE";
+    private static final String EMAIL_FALLBACK_TEMPLATE = "%[email protected]";
 
     private static final Logger logger = Logger.getLogger(VercelMPIdentityProvider.class);
     //private static final String AUTH_URL = "https://api.vercel.com/oauth/authorize";
@@ -147,32 +148,33 @@ public BrokeredIdentityContext getFederatedIdentity(String response) {
 
     // Extract user's identity from JWT.
     protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, JsonWebToken idToken) {
+        String name = (String) idToken.getOtherClaims().get("user_name");
+        String email = (String) idToken.getOtherClaims().get("user_email");
+        String userIdPerInstallation = (String) idToken.getOtherClaims().get("user_id");
+
+        if (email == null || email.isEmpty()) {
+            email = EMAIL_FALLBACK_TEMPLATE.formatted(userIdPerInstallation);
+        }
         // Global user ID is provided by Vercel only for Neon integrations!
         // For other marketplace integrations it provides only user ID per each integration installation.
         // I.e. the same Vercel user will have different ID in different Vercel teams.
         //
-        // In case global_user_id is not set we will fall back to user ID per installation.
+        // In case global_user_id is not set we will fall back to user's Email and ID per installation eventually.
+        //
+        // NB! User will be able to login using Vercel SSO only into his first integration installation in case
+        // of userID per installation fallback! Because Keycloak will fail inserting second Federal ID for the same
+        // user and Identity Provider.
         String id = (String) idToken.getOtherClaims().get("global_user_id");
         if (id == null || id.isEmpty()) {
-            id = (String) idToken.getOtherClaims().get("user_id");
+            id = email;
         }
 
         BrokeredIdentityContext identity = new BrokeredIdentityContext(id, getConfig());
-
-        String name = (String) idToken.getOtherClaims().get("user_name");
-        String email = (String) idToken.getOtherClaims().get("user_email");
-
-        if (email == null || email.isEmpty()) {
-            email = id + "@vercel-marketplace.com";
-        }
-
         identity.getContextData().put(VALIDATED_ID_TOKEN, idToken);
-
         identity.setId(id);
         identity.setEmail(email);
         identity.setName(name);
         identity.setUsername((name == null || name.isEmpty()) ? email : name);
-
         identity.setBrokerUserId(getConfig().getAlias() + "." + id);
 
         if (tokenResponse != null && tokenResponse.getSessionState() != null) {