feat/generic-oidc-claims: add the ability to set email and id_from_idp from separate OIDC claims in the generic OIDC idp

fence/resources/openid/idp_oauth2.py

@@ -161,23 +161,42 @@ def get_auth_info(self, code):
         user OR "error" field with details of the error.
         """
         user_id_field = self.settings.get("user_id_field", "sub")
+        user_email_field = self.settings.get("user_email_field", "email")
+        id_from_idp_field = self.settings.get("id_from_idp_field", "sub")
         try:
             token_endpoint = self.get_value_from_discovery_doc("token_endpoint", "")
             jwks_endpoint = self.get_value_from_discovery_doc("jwks_uri", "")
             claims = self.get_jwt_claims_identity(token_endpoint, jwks_endpoint, code)
 
-            if claims.get(user_id_field):
-                if user_id_field == "email" and not claims.get("email_verified"):
+            fields = set([user_id_field, user_email_field, id_from_idp_field])
+
+            return_dict = {}
+
+            for field in fields:
+                # Field missing from claims
+                if not claims.get(field):
+                    self.logger.exception(
+                        f"Can't get {field} from claims: {claims}"
+                    )
+                    return {"error": f"Can't get {field} from claims"}
+
+                # Field is email, but isn't verified and we aren't assuming all emails are verified
+                if field == "email" and not (claims.get("email_verified") or self.settings.get("assume_emails_verified")):
                     return {"error": "Email is not verified"}
-                return {
-                    user_id_field: claims[user_id_field],
-                    "mfa": self.has_mfa_claim(claims),
-                }
-            else:
-                self.logger.exception(
-                    f"Can't get {user_id_field} from claims: {claims}"
-                )
-                return {"error": f"Can't get {user_id_field} from claims"}
+
+                # We got the field, so append it to our dictionary
+                return_dict[field] = claims[field]
+
+            # Append the mfa field
+            return_dict["mfa"] = self.has_mfa_claim(claims)
+
+            # Debug
+            self.logger.debug(
+                f"Oauth2ClientBase get_auth_info returning {return_dict}"
+            )
+
+            # Return what we have assembled
+            return return_dict
 
         except Exception as e:
             self.logger.exception(f"Can't get user info from {self.idp}: {e}")