generic oauth2 : use email as username if there is no "login" or "username" property in /userinfo

[mathieupassenaud]

What happened:
Grafana + keycloak as authentication provider.
Keycloak has porperty "Email as username" activated.

I log in with my keycloak account, it works fine. Then, I changed my email in keycloak, using the "account" builtin application.
Surprise, when I log in grafana I lost everything, it is a new account.

What you expected to happen:
email shouldn't be used as a user id. I expected my account unchanged exception my email address.

How to reproduce it (as minimally and precisely as possible):
keycloak as oauth provider
login with an account
change email

Anything else we need to know?:
It located in file https://github.com/grafana/grafana/blob/master/pkg/login/social/generic_oauth.go in "extractLogin" function. This function search for "login" or "username" in /userinfo endpoint.
Keycloak does not have those fields by default.
So the function returns email as user login.

workaround
In keycloak, open the client you created for grafana. Go to "mapper" and add a new one. Choose "user property" mapper type, the user property we want is "id" and add it to token claim "login".
This works perfectly

What we should have
Just like with email, we have the "email_attribute_path" configuration option. We should have the same for user_id attribute.

Environment:

• Grafana version: 6.5.0
• OS Grafana is installed on: docker
• User OS & Browser: windows 10 & chrome

[aknuds1]

Thanks for reporting this, we'll look into it.

[praserx]

Same issue with generic oauth. If user change his e-mail address, then login fails (user already exists). I thing that is quite common behavior, to change my primary e-mail. There is nothing wrong if user change his e-mail within some identity provider.

The workaround did not work for me. If the user has the same login name (username), but different e-mail address, e-mail is not updated and login attempt fails with error "User already exists".