From 626a72ec38891b16a38e7dcd200b79277361c05f Mon Sep 17 00:00:00 2001
From: yuvipanda <yuvipanda@gmail.com>
Date: Mon, 11 Dec 2023 00:13:43 -0800
Subject: [PATCH] Support ORCID & GitHub auth for AGU Binder

Ref https://github.com/2i2c-org/infrastructure/issues/3508

Also led to https://github.com/jupyterhub/oauthenticator/issues/712
being filed upstream
---
 config/clusters/2i2c/agu-binder.values.yaml | 28 ++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/config/clusters/2i2c/agu-binder.values.yaml b/config/clusters/2i2c/agu-binder.values.yaml
index 99fa3a3e5..d2b9e9a14 100644
--- a/config/clusters/2i2c/agu-binder.values.yaml
+++ b/config/clusters/2i2c/agu-binder.values.yaml
@@ -47,7 +47,6 @@ binderhub:
   extraVolumeMounts:
     - name: custom-templates
       mountPath: /etc/binderhub/custom
-
   jupyterhub:
     ingress:
       enabled: true
@@ -69,6 +68,25 @@ binderhub:
           scopes:
             - self
             - "access:services"
+      extraConfig:
+        01-orcid: |
+          def setup_orcid_username(authenticator, handler, authentication):
+            """
+            Fish ORCID username from inside cilogon_user when used with ORCID
+
+            There is no clear way to get just the ORCID id from CILogon, so we
+            have to do this. https://github.com/jupyterhub/oauthenticator/issues/712
+            is the upstream report, we can get rid of this once that gets fixed.
+            """
+            idp = authentication['auth_state']['cilogon_user']['idp']
+            if idp == 'http://orcid.org/oauth/authorize':
+              # Only modify usernames if orcid is used
+              # oidc is of the form https://orcid.org/<orcid-id>
+              authentication['name'] = authentication['auth_state']['cilogon_user']['oidc'].split('/')[-1]
+            return authentication
+
+          c.Authenticator.post_auth_hook = setup_orcid_username
+
       config:
         BinderSpawner:
           auth_enabled: true
@@ -80,6 +98,14 @@ binderhub:
             http://google.com/accounts/o8/id:
               username_derivation:
                 username_claim: "email"
+            http://orcid.org/oauth/authorize:
+              username_derivation:
+                username_claim: "given_name"
+              allow_all: true
+            http://github.com/login/oauth/authorize:
+              username_derivation:
+                username_claim: "preferred_username"
+              allow_all: true
         Authenticator:
           admin_users:
             - choldgraf@2i2c.org