How can I pass OIDC_CLAIM_EMAIL value to my applications?

Hi,

I’m new to OOD and am working with an established system. We need to extend our config to pass the user’s email address on job submission. We know how to pass the value, but not how to set it in the first place.

I believe the value we want is populated by openid in the OIDC_CLAIM_EMAIL variable. How can we extract that value and pass it through to the applications, perhaps as an environment variable?

We thought we might be able to do this using the pun_custom_env section (or the pun_custom_env_declarations section) of the nginx_stage.yml file. However, it’s not clear whether the OIDC_CLAIM_EMAIL value is available there or, if so, how to reference it.

Alternatively, it seems we might be able to use the pun_pre_hook_root_cmd and pun_pre_hook_exports options to access OIDC_CLAIM_EMAIL, but it’s not clear how to then propagate the value to the applications.

Thanks for any guidance you can provide!

Chris

Hi and welcome. We don’t preserve any of those environment variables when we start the per user nginx (PUN). In fact we’ve made some effort to make sure we don’t leak any extra environment variables to the PUN.

That said - you seem to have found the path forward - the pun_pre_hook_root_cmd.

https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html#ood-portal-generator-pun-pre-hook

Use the pre-hook to write a file, say ~/.email (remember this is running as root, so it likely has to chown and maybe even chmod).

Then use a Ruby initializer to read the file and set the environment variable like so:

# /etc/ood/config/apps/dashboard/initializers/email.rb
require 'etc'

file_to_read = "#{Etc.getpwuid.dir}/.email"

if File.exists?(file_to_read) && File.readable?(file_to_read)
  contents = File.read(file_to_read)
  ENV['OIDC_CLAIM_EMAIL'] = contents
end

# I had this here just for testing.
# puts ENV['OIDC_CLAIM_EMAIL']

Docs on initializers are sparse - but here’s an example doing something else

https://osc.github.io/ood-documentation/latest/customization.html?highlight=initializer#control-which-apps-appear-in-the-dashboard-navbar

Jeff,

That’s just what I needed, thanks very much!

It’s working great, I just had to make a small change to your code above…I added .rstrip to this line:

ENV['OIDC_CLAIM_EMAIL'] = contents.rstrip

Here’s the pun_pre_hook_root_cmd script I wrote based on your description:

#!/bin/bash

# script to be run via the OOD pun_pre_hook_root_cmd mechanism.

# for testing
#exit 0

shift
if [ $# -ne 1 ]; then
    echo "usage: $0 --user <user-name>" >&2
    exit 1
fi
user=$1

# from https://unix.stackexchange.com/questions/247576/how-to-get-home-given-user
TARGET_DIR=$(/bin/getent passwd "$user" | /bin/cut -d: -f6)
TARGET_FILE="$TARGET_DIR/.email"

# always wipe out the target file
/bin/rm "$TARGET_FILE"

# is OOD_OIDC_CLAIM_EMAIL set?
if [ ! -z ${OOD_OIDC_CLAIM_EMAIL+x} ]; then
    # yes, it is set. create the target file.
    echo "$OOD_OIDC_CLAIM_EMAIL" > "$TARGET_FILE"
    /bin/chown $user "$TARGET_FILE"
    /bin/chmod 755 "$TARGET_FILE"
fi