Add support for preferred_username claims#8838
Open
Combs7th wants to merge 1 commit intov11.6-documentationfrom
Open
Add support for preferred_username claims#8838Combs7th wants to merge 1 commit intov11.6-documentationfrom
Combs7th wants to merge 1 commit intov11.6-documentationfrom
Conversation
Adds Use preferred username setting documentation to each OpenID Connect provider section (GitLab, Google, Entra ID, OpenID Connect other) in the authentication configuration settings reference, and a corresponding note in the OpenID Connect SSO setup guide. Closes #8835 Co-authored-by: Combs7th <Combs7th@users.noreply.github.com>
Combs7th
added
1: Dev Review
Contributor
Author
|
@cpoile - Do the above doc updates look accurate to you? |
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA 3f0b790 |
📝 WalkthroughWalkthroughDocumentation updates added new OpenID Connect configuration settings for four OIDC providers (GitLab, Google, Entra ID, and generic OIDC) that enable administrators to assign Mattermost usernames from the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
source/administration-guide/configure/authentication-configuration-settings.rst (1)
2350-2352: Consider adding a claim-availability note for non-Entra providers too.Only the Entra section explicitly tells admins how to make
preferred_usernameavailable. Adding a short equivalent caveat in Google/generic sections (or one shared note) would reduce setup ambiguity.Also applies to: 2602-2604
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@source/administration-guide/configure/authentication-configuration-settings.rst` around lines 2350 - 2352, Add a short claim-availability caveat stating that the preferred_username claim must be exposed by the identity provider for Mattermost to use it (mentioning the Google OpenID token and generic OIDC providers), and either point readers to the existing Entra instructions for how to enable that claim or briefly describe the equivalent provider-side step (e.g., map/emit preferred_username in the provider's token/claims configuration); reference the `preferred_username` claim and the Google/OpenID/OIDC sections so readers know where to apply this note.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@source/administration-guide/onboard/sso-openidconnect.rst`:
- Line 32: The provider-specific onboarding pages for GitLab, Google, and Azure
AD need to mention the new "Use preferred username" option: update each
provider's onboarding page where username sourcing is described to add a short
sentence that usernames can be taken from the OpenID Connect preferred_username
claim by enabling the Use preferred username option in System Console >
Authentication > OpenID Connect, and link to the existing authentication
configuration settings reference (the :ref:`authentication configuration
settings
<administration-guide/configure/authentication-configuration-settings:openid
connect>` reference used in sso-openidconnect.rst). Locate the username sourcing
sections in the GitLab, Google, and Azure AD onboarding docs and add this
single-line note with the same phrasing and reference as the generic OIDC page
for consistency.
---
Nitpick comments:
In
`@source/administration-guide/configure/authentication-configuration-settings.rst`:
- Around line 2350-2352: Add a short claim-availability caveat stating that the
preferred_username claim must be exposed by the identity provider for Mattermost
to use it (mentioning the Google OpenID token and generic OIDC providers), and
either point readers to the existing Entra instructions for how to enable that
claim or briefly describe the equivalent provider-side step (e.g., map/emit
preferred_username in the provider's token/claims configuration); reference the
`preferred_username` claim and the Google/OpenID/OIDC sections so readers know
where to apply this note.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bc6867f3-2d5e-448b-826c-32800ebb069b
📒 Files selected for processing (2)
source/administration-guide/configure/authentication-configuration-settings.rstsource/administration-guide/onboard/sso-openidconnect.rst
| .. note:: | ||
| - When Mattermost is configured to use OpenID Connect for user authentication, the following user attribute changes can't be made through the Mattermost API: first name, last name, or username. OpenID Connect must be the authoritative source for these user attributes. | ||
| - The **Discovery Endpoint** setting can be used to determine the connectivity and availability of arbitrary hosts. System admins concerned about this can use custom admin roles to limit access to modifying these settings. See the :ref:`delegated granular administration <administration-guide/onboard/delegated-granular-administration:edit privileges of admin roles (advanced)>` documentation for details. | ||
| - Admins can configure Mattermost to use the ``preferred_username`` claim from the OpenID token as the Mattermost username. Enable the **Use preferred username** option in the provider's settings under **System Console > Authentication > OpenID Connect**. See the :ref:`authentication configuration settings <administration-guide/configure/authentication-configuration-settings:openid connect>` for details. |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether provider-specific SSO docs mention preferred_username.
# Expected: sso-gitlab.rst, sso-google.rst, and sso-entraid.rst should mention preferred_username
# where they describe username sourcing/authority.
fd -a 'sso-(gitlab|google|entraid)\.rst$' source | while read -r f; do
echo "=== $f ==="
rg -n -C2 'preferred_username|username|authoritative source' "$f"
echo
doneRepository: mattermost/docs
Length of output: 1530
Provider-specific onboarding docs lack reference to the new Use preferred username option.
The generic OIDC page now documents the Use preferred username option (line 32), but the provider-specific onboarding pages for GitLab, Google, and Azure AD don't mention this feature where they describe username sourcing. Since these pages explain that usernames must come from the OpenID Connect/OAuth 2.0 provider, they should reference the new preferred_username claim option for consistency.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@source/administration-guide/onboard/sso-openidconnect.rst` at line 32, The
provider-specific onboarding pages for GitLab, Google, and Azure AD need to
mention the new "Use preferred username" option: update each provider's
onboarding page where username sourcing is described to add a short sentence
that usernames can be taken from the OpenID Connect preferred_username claim by
enabling the Use preferred username option in System Console > Authentication >
OpenID Connect, and link to the existing authentication configuration settings
reference (the :ref:`authentication configuration settings
<administration-guide/configure/authentication-configuration-settings:openid
connect>` reference used in sso-openidconnect.rst). Locate the username sourcing
sections in the GitLab, Google, and Azure AD onboarding docs and add this
single-line note with the same phrasing and reference as the generic OIDC page
for consistency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
Use preferred usernamesetting documentation to each OpenID Connect provider section in the authentication configuration settings reference, and a note in the OpenID Connect SSO setup guide.Closes #8835
Generated with Claude Code