fix(authProviders): defensive split for IdPs that put full name in given_name#10919
Open
MichaelUray wants to merge 1 commit into
Open
fix(authProviders): defensive split for IdPs that put full name in given_name#10919MichaelUray wants to merge 1 commit into
MichaelUray wants to merge 1 commit into
Conversation
… shape
Authentik's default 'profile' scope mapping has no first/last separation
and emits given_name = full display name. Huly's openid.ts previously
used given_name verbatim, then derived last_name from name.split(' '),
producing duplicated last names like "Florian Preininger Preininger".
Now uses a strict normalized heuristic: when given_name.trim() === name.trim()
AND family_name is missing/blank, fall back to splitting full-name on
whitespace. Otherwise use given_name/family_name as-is.
Per Codex Recommended (plan-review 2026-06-21): NO broad "given_name
contains family_name" fallback. That would mangle legitimate compound
names like "Anna Lena Schmidt".
Logic extracted into pure helper splitOidcName(claims) at
pods/authProviders/src/oidcNameSplit.ts for testability. 10 test cases
cover Authentik-default, conformant IdP, single-name, compound-surname,
whitespace, missing-name, multi-space, and empty-input.
Upstream-PR-candidate: this is a defensive fix that benefits any
non-Authentik IdP that also has the no-separation quirk.
Signed-off-by: Michael Uray <michael.uray@gmail.com>
Signed-off-by: Michael Uray <michaeluray@users.noreply.github.com>
|
Connected to Huly®: UBERF-16523 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
pods/authProviders/src/openid.tsnow uses a strict normalized heuristic to detect IdPs that emitgiven_name = full_nameandfamily_name = ""(in violation of OIDC Core 1.0 §5.1). When that exact shape is detected, Huly splitsnameon whitespace instead of trustinggiven_nameverbatim. Otherwise behaviour is unchanged.Logic extracted into
splitOidcName(claims)atpods/authProviders/src/oidcNameSplit.tsfor testability.Why
Authentik's default OIDC
profilescope mapping ships withgiven_name = request.user.name(full display name) and nofamily_name(upstream issue tracking the conformance gap). For users like "Florian Preininger", the result was:ctx.state.user.given_name = "Florian Preininger"→ Huly stampedfirst_name = "Florian Preininger"ctx.state.user.family_name = undefined→ Huly's fallbackname.split(' ').slice(1).join(' ') = "Preininger""Florian Preininger Preininger"The same root cause has been reported against OnlyOffice as well (unanswered since 2024-12). Any RP that trusts
given_nameblindly and uses a split-fallback forfamily_namehits this.Upstream resolution status (update 2026-06-22)
Authentik's maintainer (dewi-tik in #23231) has confirmed the root cause and will resolve it in v2026.8 via PR #21544 — adding separate
First Name+Family Nameuser attributes, removing the need for any name-splitting heuristic at all. This is the correct call (splitting fails on non-western naming conventions per the names-falsehoods article).This PR remains valuable as defense-in-depth:
The heuristic is strict-shape-gated (only fires when
given_name === full_name && family_name === ''), so a properly-configured Authentik 2026.8 + custom scope mapping makes this a no-op without needing the guard to be removed.The heuristic
given_nameandfamily_nameare populated correctly — heuristic does NOT trigger, behaviour unchanged.given_name: "Anna",family_name: "Lena Schmidt"):family_nameis non-empty → heuristic does NOT trigger.We explicitly avoided a looser "given_name contains family_name" heuristic because that would mangle legitimate compound names where
family_namehappens to be a substring ofgiven_name.Tests
pods/authProviders/src/oidcNameSplit.test.tscovers 10 cases:name+ fallback tousername{first: '', last: ''}(no crash)Migration note
This change only affects how NEW logins populate
first_name/last_nameon the Huly account. Existing rows inglobal_account.personfrom before this fix retain the old values. Operators wanting to backfill can run a strict-heuristic UPDATE (happy to add a doc snippet if helpful).Out-of-scope
Checklist