Allow setting a custom attribute for oidc provider sub claim

[uumas]

Is your feature request related to a problem? Please describe.
I have an external auth source and I'm using authentik as an authentication hub between the source and other applications. That auth source has unique user ids that I save in authentik as a custom attribute. I would like to use it as the oidc subject.

Describe the solution you'd like
Add a subject mode option "Based on a user attribute" with a text field where one enter the attribute. Alternatively it could be an expression similar to property mappings.

This would be quite similar to the current "Based on the User's UPN" and it may even make sense to replace it entirely, but that would require migrating existing configurations to the new type with upn as the attribute.

Describe alternatives you've considered
I could set the external uid as the username in authentik as I'm not currently using the username for anything

[BeryJu]

I think you might be able to return sub in a scope mapping as a key-value entry in the dictionary and override the default sub claim, but I haven't tried that myself (looking at the code it should work though)

[uumas]

Seems to not have worked. I added a property mapping for scope sub_custom_attribute, enabled it for the provider and added it to the application scopes. This is the expression:

return {
    "sub": request.user.attributes.get('custom_attribute')
}

But authentik returned the sub selected with the subject type config option.

[BeryJu]

I’m assuming you’ve also reconfigured the application to ask for this new scope?

[uumas]

yes, but just noticed that enabling "Include claims in id_token" causes it to work, which makes sense. So now it works the way I'd like it to, but it's very hacky.

[BeryJu]

I don’t think it’s hacky since this is the intended way for it to function, but it definitely needs to be documented. With this we could probably also remove the UPN option

[uumas]

it would be good to be able to return sub like this without needing to have "Include claims in id_token" enabled

[uumas]

I just updated all the way from 2023.5 (or 2023.6 maybe) to 2024.2 (in steps) and this no longer works and authentik returns the sub claim selected with subject mode instead of the one returned by property mapping. I first noticed this on 2023.10 but it's possible it was broken on 2023.8 or even 2023.6 and I just failed to test it before moving to the next update.

[uumas]

After looking more into this, it seems sub is set correctly in id_token but wrong in userinfo. Discourse has a nice error message for it:

(oidc) Authentication failure! openid_connect_sub_mismatch: OmniAuth::Strategies::OpenIDConnect::SubVerifyError, OIDC `sub` mismatch. ID Token value: "67". UserInfo value: "e291876f256dec9df658f614afd3bd985c4a04b56725e4ffd76977bbb1a8cc32"

[samip5]

Ideal solution would probably be a sub claim option, that would allow you to reference an expression policy.
I wonder how simple adding something like that would be? It seems rather database-oriented when I looked at the different sub choices. :)