Rename getOpenIDUsername to getOpenIDIdentity and thread "identity"
through bearer OIDC, Basic-auth parsing, OAuth2Callback, and log fields.
Only fall back (and warn) to the default email claim when the configured
username claim is non-default but missing or empty.
Stop emitting Info logs when groups are absent on only UserInfo or only ID
token claims; log once at Debug when no groups remain after merging both.
Update ClaimMapping docs to mention username and groups claims; fix mTLS
extractIdentity comment typo; clarify GetAuthUserFromRequestSession doc.
Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
* feat(auth): map OpenID groups claim
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
* fix(auth): refine OIDC claim mapping logs
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
* refactor(auth): collapse OIDC username fallback into nested if
Reuse the empty-username branch for the email fallback so the value is
checked once and the failure path lives next to the recovery attempt.
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
* refactor(auth): consolidate OIDC claim extraction into authn.go
Move getOpenIDClaimMapping, getOpenIDUsername, and appendOpenIDGroups
out of routes.go into authn.go alongside a new extractOpenIDIdentity
helper that owns the username/groups extraction flow. This keeps the
HTTP callback in routes.go thin and groups OIDC plumbing with the rest
of the authentication code.
Also:
- Filter nil and empty entries consistently across the []any, []string,
and string branches of appendOpenIDGroups, with new test cases
covering []any{nil, ""} and []string{"admin","",...}.
- Surface a Warn log when an operator-configured username claim is
missing/empty so the fallback to email isn't silent.
- Rename openid_claim_mapping_internal_test.go to authn_internal_test.go
and drop the build tags that aren't needed for the internal tests.
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
---------
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Andrei Aaron