From ebae3dc9d8efc65535c44d43330ac522e44f1353 Mon Sep 17 00:00:00 2001 From: Dmitry Savelev Date: Thu, 3 Oct 2024 23:37:24 +0200 Subject: [PATCH 1/3] Use user's email as ID as a fallback for Vercel auth. --- .../java/vercel/VercelMPIdentityProvider.java | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/src/main/java/vercel/VercelMPIdentityProvider.java b/src/main/java/vercel/VercelMPIdentityProvider.java index dfafb3c..b283557 100755 --- a/src/main/java/vercel/VercelMPIdentityProvider.java +++ b/src/main/java/vercel/VercelMPIdentityProvider.java @@ -147,32 +147,33 @@ public BrokeredIdentityContext getFederatedIdentity(String response) { // Extract user's identity from JWT. protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, JsonWebToken idToken) { + String name = (String) idToken.getOtherClaims().get("user_name"); + String email = (String) idToken.getOtherClaims().get("user_email"); + String userIdPerInstallation = (String) idToken.getOtherClaims().get("user_id") + + if (email == null || email.isEmpty()) { + email = userIdPerInstallation + "@vercel-marketplace.com"; + } // Global user ID is provided by Vercel only for Neon integrations! // For other marketplace integrations it provides only user ID per each integration installation. // I.e. the same Vercel user will have different ID in different Vercel teams. // - // In case global_user_id is not set we will fall back to user ID per installation. + // In case global_user_id is not set we will fall back to user's Email and ID per installation eventually. + // + // NB! User will be able to login using Vercel SSO only into his first integration installation in case + // of userID per installation fallback! Because Keycloak will fail inserting second Federal ID for the same + // user and Identity Provider. String id = (String) idToken.getOtherClaims().get("global_user_id"); if (id == null || id.isEmpty()) { - id = (String) idToken.getOtherClaims().get("user_id"); + id = email; } BrokeredIdentityContext identity = new BrokeredIdentityContext(id, getConfig()); - - String name = (String) idToken.getOtherClaims().get("user_name"); - String email = (String) idToken.getOtherClaims().get("user_email"); - - if (email == null || email.isEmpty()) { - email = id + "@vercel-marketplace.com"; - } - identity.getContextData().put(VALIDATED_ID_TOKEN, idToken); - identity.setId(id); identity.setEmail(email); identity.setName(name); identity.setUsername((name == null || name.isEmpty()) ? email : name); - identity.setBrokerUserId(getConfig().getAlias() + "." + id); if (tokenResponse != null && tokenResponse.getSessionState() != null) { From 2c79b787074dd7599277265157dda928f80f8f56 Mon Sep 17 00:00:00 2001 From: Dmitry Savelev Date: Fri, 4 Oct 2024 12:45:02 +0200 Subject: [PATCH 2/3] fix email domain --- src/main/java/vercel/VercelMPIdentityProvider.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/vercel/VercelMPIdentityProvider.java b/src/main/java/vercel/VercelMPIdentityProvider.java index b283557..0a2113f 100755 --- a/src/main/java/vercel/VercelMPIdentityProvider.java +++ b/src/main/java/vercel/VercelMPIdentityProvider.java @@ -40,6 +40,7 @@ public class VercelMPIdentityProvider extends OIDCIdentityProvider implements SocialIdentityProvider { private static final String BROKER_NONCE_PARAM = "BROKER_NONCE"; + private static final String EMAIL_FALLBACK_TEMPLATE = "%s@vercelmp.internal"; private static final Logger logger = Logger.getLogger(VercelMPIdentityProvider.class); //private static final String AUTH_URL = "https://api.vercel.com/oauth/authorize"; @@ -152,7 +153,7 @@ protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenRespo String userIdPerInstallation = (String) idToken.getOtherClaims().get("user_id") if (email == null || email.isEmpty()) { - email = userIdPerInstallation + "@vercel-marketplace.com"; + email = EMAIL_FALLBACK_TEMPLATE.formatted(userIdPerInstallation); } // Global user ID is provided by Vercel only for Neon integrations! // For other marketplace integrations it provides only user ID per each integration installation. From 58be02a846d4759ee18a06d6518af9f0d78be79c Mon Sep 17 00:00:00 2001 From: Dmitry Savelev Date: Fri, 4 Oct 2024 13:02:51 +0200 Subject: [PATCH 3/3] small fix --- src/main/java/vercel/VercelMPIdentityProvider.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/vercel/VercelMPIdentityProvider.java b/src/main/java/vercel/VercelMPIdentityProvider.java index 0a2113f..df8da5c 100755 --- a/src/main/java/vercel/VercelMPIdentityProvider.java +++ b/src/main/java/vercel/VercelMPIdentityProvider.java @@ -150,7 +150,7 @@ public BrokeredIdentityContext getFederatedIdentity(String response) { protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, JsonWebToken idToken) { String name = (String) idToken.getOtherClaims().get("user_name"); String email = (String) idToken.getOtherClaims().get("user_email"); - String userIdPerInstallation = (String) idToken.getOtherClaims().get("user_id") + String userIdPerInstallation = (String) idToken.getOtherClaims().get("user_id"); if (email == null || email.isEmpty()) { email = EMAIL_FALLBACK_TEMPLATE.formatted(userIdPerInstallation);