Skip to content

[Feature Request] Add subject in CustomOidcUserService as last fallback when no username can be created #769

@koalaeagle

Description

@koalaeagle

Describe the bug
When logging in via OIDC with an identity provider that doesn't return the given_name claim (like Dex), Reitti crashes with a NullPointerException at CustomOidcUserService.java:64. However, according to Reitti's documentation, user matching relies on preferred_username and name claims — given_name is not mentioned as a required or used claim. This suggests either a documentation/implementation mismatch, or the code is accessing a claim that shouldn't be part of the authentication flow.

To Reproduce
Steps to reproduce the behavior:

  1. Configure Reitti to use OIDC authentication with Dex (or any provider that omits given_name)
  2. Navigate to the Reitti login page
  3. Click "Login" and authenticate through the OIDC provider
  4. After successful authentication at the provider, the callback to /login/oauth2/code/oauth fails with HTTP 500

Expected behavior
Per the documentation, Reitti should successfully authenticate using preferred_username and name claims. The code should either:

  • Not access given_name at all (if it's not needed), or
  • Handle its absence gracefully if it is used for something undocumented

Screenshots
N/A

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A

Additional context
Stack trace:

java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because the return value of "org.springframework.security.oauth2.core.oidc.user.OidcUser.getGivenName()" is null
at com.dedicatedcode.reitti.config.CustomOidcUserService.loadUser(CustomOidcUserService.java:64)

Documentation discrepancy: The OIDC documentation states that Reitti uses:

  • preferred_username for username assignment
  • name for display name

But the crash indicates the code is attempting to use given_name, which is an optional OIDC claim that Dex (and other minimal providers) don't include. Could you clarify:

  1. Is given_name actually used for something, or should the code be using preferred_username/name instead?
  2. Should the documentation be updated to list given_name as required?
  3. Or should the code be changed to stop using given_name entirely?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions