Hi Nick, The change depends on the current implementation of usage of the username across the front end. A Simple implementation would check in the frontend if a user has a Fullname/displayname and use that and only doing a fallback to the username if the former is empty. Another possible implantation is to let admins decide which value to use as the display name in the front end such as username, fullname or even email which are already part of a guac user profile.
This would make envinrments using the OIDC extension more secure as well. Because many would just go for the most straight forward claim such as the email or display name on the IDP. But this can be easily abused if you can change these values to impersonate someone with higher privileges. For instance Microsoft recommends using the object id claim which is an immutable GUID and unique across their entire cloud. But doing so in Guac makes it challenging for admins to link these values to actual users without doing some dig work. From: Nick Couchman<mailto:[email protected]> Sent: maandag 9 oktober 2023 13:28 To: [email protected]<mailto:[email protected]> Subject: Re: Separating username from display name On Mon, Oct 9, 2023 at 3:39 AM Najib . <[email protected]<mailto:[email protected]>> wrote: We are currently using the OIDC extension to authenticate users however we would like to use a claim that is an immutable GUID as the username for security reasons. Since we are currently using the OIDC display name which is not immutable on the source identity provider. But doing so makes the guac frontend show this cryptic guid username too. Is there a way to separate the display name of the user with its underlying username? So that we can use the guid value as the underlying username and a more human friendly value as the users display name or at the very least let guac frontend show the “Full Name” value in which already exists (if its populated) in places such as the History tab, users overview and so on instead of the username value. There is currently no way to do this without making some modifications to both the web application (JavaScript + HTML) source code, as well as some of the Java sources (REST API, guacamole-ext, etc.). -Nick
