wip: add cust_email_mapping support

Author: lvaroqui

frontend/src/api/types/clients.ts

@@ -65,6 +65,8 @@ export interface UpdateClientRequest {
     backchannel_logout_uri?: string,
     /// Validation: PATTERN_GROUP
     restrict_group_prefix?: string,
+    /// Validation: PATTERN_ATTR
+    cust_email_mapping?: string,
     scim?: ScimClientRequestResponse,
 }
 
@@ -95,6 +97,7 @@ export interface ClientResponse {
     backchannel_logout_uri?: string,
     restrict_group_prefix?: string,
     scim?: ScimClientRequestResponse,
+    cust_email_mapping?: string,
 }
 
 export interface ClientSecretResponse {

frontend/src/lib/admin/clients/ClientConfig.svelte

@@ -33,14 +33,18 @@
         client = $bindable(),
         clients,
         scopesAll,
+        attrsAll,
         onSave,
     }: {
         client: ClientResponse,
         clients: ClientResponse[],
         scopesAll: string[],
+        attrsAll: string[],
         onSave: () => void,
     } = $props();
 
+    let attrsWithNone = $state(['None'].concat(attrsAll));
+
     let t = useI18n();
     let ta = useI18nAdmin();
 
@@ -59,6 +63,7 @@
     let postLogoutRedirectURIs: string[] = $state(client.post_logout_redirect_uris ? Array.from(client.post_logout_redirect_uris) : []);
     let backchannel_logout_uri: string = $state(client.backchannel_logout_uri || '');
     let restrict_group_prefix: string = $state(client.restrict_group_prefix || '');
+    let cust_email_mapping: string = $state(client.cust_email_mapping || 'None');
 
     let scimEnabled = $state(client.scim !== undefined);
     let scim: ScimClientRequestResponse = $state({
@@ -117,6 +122,7 @@
             origins = client.allowed_origins ? Array.from(client.allowed_origins) : [];
             redirectURIs = Array.from(client.redirect_uris);
             postLogoutRedirectURIs = client.post_logout_redirect_uris ? Array.from(client.post_logout_redirect_uris) : [];
+            cust_email_mapping = client.cust_email_mapping || 'None';
 
             flows.authorizationCode = client.flows_enabled.includes('authorization_code');
             flows.clientCredentials = client.flows_enabled.includes('client_credentials');
@@ -204,6 +210,7 @@
             contacts: contacts.length > 0 ? contacts : undefined,
             backchannel_logout_uri: backchannel_logout_uri || undefined,
             restrict_group_prefix: restrict_group_prefix || undefined,
+            cust_email_mapping: cust_email_mapping != 'None' ? cust_email_mapping : undefined,
         }
 
         if (flows.authorizationCode) {
@@ -311,6 +318,14 @@
                 width={inputWidth}
                 pattern={PATTERN_GROUP}
         />
+        <div class="flex gap-05">
+            Todo
+            <Options
+                ariaLabel={ta.attrs.name}
+                options={attrsWithNone}
+                bind:value={cust_email_mapping}
+            />
+        </div>
 
         <p class="mb-0"><b>Authentication Flows</b></p>
         <InputCheckbox ariaLabel="authorization_code" bind:checked={flows.authorizationCode}>

frontend/src/lib/admin/clients/ClientDetails.svelte

@@ -12,11 +12,13 @@
         client,
         clients,
         scopesAll,
+        attrsAll,
         onSave,
     }: {
         client: ClientResponse,
         clients: ClientResponse[],
         scopesAll: string[],
+        attrsAll: string[],
         onSave: () => void,
     } = $props();
 
@@ -49,7 +51,7 @@
 
 <div class="details">
     {#if selected === ta.nav.config}
-        <ClientConfig {client} {clients} {scopesAll} {onSave}/>
+        <ClientConfig {client} {clients} {scopesAll} {attrsAll} {onSave}/>
     {:else if selected === 'Secret'}
         <ClientSecret {client}/>
     {:else if selected === 'Branding'}

frontend/src/lib/admin/clients/Clients.svelte

@@ -12,6 +12,7 @@
     import type {ClientResponse} from "$api/types/clients.ts";
     import ClientAddNew from "$lib5/admin/clients/ClientAddNew.svelte";
     import ClientDetails from "$lib5/admin/clients/ClientDetails.svelte";
+	import type { UserAttrConfigResponse } from "$api/types/user_attrs";
 
     let ta = useI18nAdmin();
 
@@ -23,6 +24,7 @@
     let client: undefined | ClientResponse = $state();
     let cid = useParam('cid');
     let scopesAll: string[] = $state([]);
+    let attrsAll: string[] = $state([]);
 
     const searchOptions = ['ID'];
     let searchOption = $state(searchOptions[0]);
@@ -32,6 +34,7 @@
     onMount(() => {
         fetchClients();
         fetchScopes();
+        fetchAttrs();
     });
 
     $effect(() => {
@@ -65,6 +68,14 @@
         }
     }
 
+    async function fetchAttrs() {
+        let res = await fetchGet<UserAttrConfigResponse>('/auth/v1/users/attr');
+        if (res.body) {
+            attrsAll = res.body.values.map((a) => a.name);
+        } else {
+            err = res.error?.message || 'Error';
+        }
+    }
     function onChangeOrder(option: string, direction: 'up' | 'down') {
         let up = direction === 'up';
         if (option === orderOptions[0]) {
@@ -127,7 +138,7 @@
 
     <div id="groups">
         {#if client}
-            <ClientDetails {client} {clients} {scopesAll} {onSave}/>
+            <ClientDetails {client} {clients} {scopesAll} {attrsAll} {onSave}/>
         {/if}
     </div>
 </ContentAdmin>

migrations/hiqlite/17_add_custom_email_mapping.sql

@@ -0,0 +1,4 @@
+ALTER TABLE clients
+    ADD cust_email_mapping TEXT
+        REFERENCES user_attr_config
+            ON UPDATE CASCADE ON DELETE CASCADE;

migrations/postgres/V12_add_custom_email_mapping.sql

@@ -0,0 +1,4 @@
+ALTER TABLE clients
+    ADD cust_email_mapping TEXT
+        REFERENCES user_attr_config
+        ON UPDATE ON DELETE CASCADE;

src/api_types/src/clients.rs

@@ -1,7 +1,7 @@
 use crate::cust_validation::*;
 use crate::oidc::JwkKeyPairAlg;
 use rauthy_common::regex::{
-    RE_CLIENT_ID_EPHEMERAL, RE_CLIENT_NAME, RE_GROUPS, RE_LOWERCASE, RE_SCOPE_SPACE,
+    RE_ATTR, RE_CLIENT_ID_EPHEMERAL, RE_CLIENT_NAME, RE_GROUPS, RE_LOWERCASE, RE_SCOPE_SPACE,
     RE_TOKEN_ENDPOINT_AUTH_METHOD, RE_URI,
 };
 use serde::{Deserialize, Serialize};
@@ -194,6 +194,8 @@ pub struct UpdateClientRequest {
     /// Validation: `^[a-zA-Z0-9-_/,:*\\s]{2,64}$`
     #[validate(regex(path = "*RE_GROUPS", code = "^[a-zA-Z0-9-_/,:*\\s]{2,64}$"))]
     pub restrict_group_prefix: Option<String>,
+    #[validate(regex(path = "*RE_ATTR", code = "^[a-z0-9-_/]{2,32}$"))]
+    pub cust_email_mapping: Option<String>,
     #[validate(nested)]
     pub scim: Option<ScimClientRequestResponse>,
 }
@@ -254,6 +256,8 @@ pub struct ClientResponse {
     pub restrict_group_prefix: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub scim: Option<ScimClientRequestResponse>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cust_email_mapping: Option<String>,
 }
 
 #[derive(Serialize, ToSchema)]

src/models/src/entity/clients.rs

@@ -38,8 +38,8 @@ SET name = $1, enabled = $2, confidential = $3, secret = $4, secret_kid = $5, re
     post_logout_redirect_uris = $7, allowed_origins = $8, flows_enabled = $9, access_token_alg = $10,
     id_token_alg = $11, auth_code_lifetime = $12, access_token_lifetime = $13, scopes = $14,
     default_scopes = $15, challenge = $16, force_mfa= $17, client_uri = $18, contacts = $19,
-    backchannel_logout_uri = $20, restrict_group_prefix = $21
-WHERE id = $22"#;
+    backchannel_logout_uri = $20, restrict_group_prefix = $21, cust_email_mapping = $22
+WHERE id = $23"#;
 
 /**
 # OIDC Client
@@ -77,6 +77,7 @@ pub struct Client {
     pub contacts: Option<String>,
     pub backchannel_logout_uri: Option<String>,
     pub restrict_group_prefix: Option<String>,
+    pub cust_email_mapping: Option<String>,
 }
 
 impl Debug for Client {
@@ -87,7 +88,8 @@ impl Debug for Client {
         redirect_uris: {}, post_logout_redirect_uris: {:?}, allowed_origins: {:?}, \
         flows_enabled: {}, access_token_alg: {}, id_token_alg: {}, auth_code_lifetime: {}, \
         access_token_lifetime: {}, scopes: {}, default_scopes: {}, challenge: {:?}, force_mfa: {}, \
-        client_uri: {:?}, contacts: {:?}, backchannel_logout_uri: {:?}, restrict_group_prefix: {:?} \
+        client_uri: {:?}, contacts: {:?}, backchannel_logout_uri: {:?}, restrict_group_prefix: {:?}, \
+        cust_email_mapping: {:?}
         }}",
             self.id,
             self.name,
@@ -109,6 +111,7 @@ impl Debug for Client {
             self.contacts,
             self.backchannel_logout_uri,
             self.restrict_group_prefix,
+            self.cust_email_mapping
         )
     }
 }
@@ -138,6 +141,7 @@ impl From<tokio_postgres::Row> for Client {
             contacts: row.get("contacts"),
             backchannel_logout_uri: row.get("backchannel_logout_uri"),
             restrict_group_prefix: row.get("restrict_group_prefix"),
+            cust_email_mapping: row.get("cust_email_mapping"),
         }
     }
 }
@@ -165,9 +169,9 @@ impl Client {
 INSERT INTO clients (id, name, enabled, confidential, secret, secret_kid, redirect_uris,
 post_logout_redirect_uris, allowed_origins, flows_enabled, access_token_alg, id_token_alg,
 auth_code_lifetime, access_token_lifetime, scopes, default_scopes, challenge, force_mfa,
-client_uri, contacts, backchannel_logout_uri, restrict_group_prefix)
+client_uri, contacts, backchannel_logout_uri, restrict_group_prefix, cust_email_mapping)
 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17,
-$18, $19, $20, $21, $22)"#;
+$18, $19, $20, $21, $22, $23)"#;
 
         if is_hiqlite() {
             DB::hql()
@@ -195,7 +199,8 @@ $18, $19, $20, $21, $22)"#;
                         &client.client_uri,
                         &client.contacts,
                         &client.backchannel_logout_uri,
-                        &client.restrict_group_prefix
+                        &client.restrict_group_prefix,
+                        &client.cust_email_mapping
                     ),
                 )
                 .await?;
@@ -225,6 +230,7 @@ $18, $19, $20, $21, $22)"#;
                     &client.contacts,
                     &client.backchannel_logout_uri,
                     &client.restrict_group_prefix,
+                    &client.cust_email_mapping,
                 ],
             )
             .await?;
@@ -250,9 +256,9 @@ $18, $19, $20, $21, $22)"#;
 INSERT INTO clients (id, name, enabled, confidential, secret, secret_kid, redirect_uris,
 post_logout_redirect_uris, allowed_origins, flows_enabled, access_token_alg, id_token_alg,
 auth_code_lifetime, access_token_lifetime, scopes, default_scopes, challenge, force_mfa,
-client_uri, contacts, backchannel_logout_uri, restrict_group_prefix)
+client_uri, contacts, backchannel_logout_uri, restrict_group_prefix, cust_email_mapping)
 VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20,
-$21, $22)"#;
+$21, $22, $23)"#;
         let sql_2 = r#"
 INSERT INTO
 clients_dyn (id, created, registration_token, token_endpoint_auth_method)
@@ -285,7 +291,8 @@ VALUES ($1, $2, $3, $4)"#;
                             &client.client_uri,
                             &client.contacts,
                             &client.backchannel_logout_uri,
-                            &client.restrict_group_prefix
+                            &client.restrict_group_prefix,
+                            &client.cust_email_mapping
                         ),
                     ),
                     (
@@ -329,6 +336,7 @@ VALUES ($1, $2, $3, $4)"#;
                     &client.contacts,
                     &client.backchannel_logout_uri,
                     &client.restrict_group_prefix,
+                    &client.cust_email_mapping,
                 ],
             )
             .await?;
@@ -641,6 +649,7 @@ VALUES ($1, $2, $3, $4)"#;
                         contacts,
                         backchannel_logout_uri,
                         &self.restrict_group_prefix,
+                        &self.cust_email_mapping,
                         self.id.clone()
                     ),
                 )
@@ -670,6 +679,7 @@ VALUES ($1, $2, $3, $4)"#;
                     &contacts,
                     &backchannel_logout_uri,
                     &self.restrict_group_prefix,
+                    &self.cust_email_mapping,
                     &self.id,
                 ],
             )
@@ -1472,6 +1482,7 @@ impl Client {
                 sync_groups: scim.sync_groups,
                 group_sync_prefix: scim.group_sync_prefix,
             }),
+            cust_email_mapping: self.cust_email_mapping,
         }
     }
 }
@@ -1517,6 +1528,7 @@ impl From<EphemeralClientRequest> for Client {
             contacts: value.contacts.map(|c| c.join(",")),
             backchannel_logout_uri: None,
             restrict_group_prefix: None,
+            cust_email_mapping: None,
         }
     }
 }
@@ -1556,6 +1568,7 @@ impl Default for Client {
             contacts: None,
             backchannel_logout_uri: None,
             restrict_group_prefix: None,
+            cust_email_mapping: None,
         }
     }
 }
@@ -1765,6 +1778,7 @@ mod tests {
             contacts: Some("[email protected],@alfred:matrix.org".to_string()),
             backchannel_logout_uri: None,
             restrict_group_prefix: None,
+            cust_email_mapping: None,
         };
 
         assert_eq!(client.get_access_token_alg().unwrap(), JwkKeyPairAlg::EdDSA);

src/models/src/migration/anti_lockout.rs

@@ -59,6 +59,7 @@ pub async fn anti_lockout() -> Result<(), ErrorResponse> {
         contacts: vars.email.rauthy_admin_email.clone(),
         backchannel_logout_uri: None,
         restrict_group_prefix: None,
+        cust_email_mapping: None,
     };
     debug!("Rauthy client anti-lockout: {:?}", rauthy);
 

src/service/src/client.rs

@@ -56,6 +56,7 @@ pub async fn update_client(
     client.client_uri = client_req.client_uri;
     client.backchannel_logout_uri = client_req.backchannel_logout_uri;
     client.restrict_group_prefix = client_req.restrict_group_prefix;
+    client.cust_email_mapping = client_req.cust_email_mapping;
 
     client.save().await?;