[Backend] Add OpenID Connect SSO support for Microsoft ADFS to get user claims from the id_token

[animedbz16]

#7477

Proposed changes

• If the user claims are not in userinfo, then attempt to get them from the id_token

Related issues

• OpenCTI fails to detect successfully authenticated OpenID Connect SSO via ADFS #7477

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case (coverage and e2e)
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.

Project coverage is 66.18%. Comparing base (7f62490) to head (be012d2).
Report is 23 commits behind head on master.

Files with missing lines	Patch %	Lines
...i-platform/opencti-graphql/src/config/providers.js	0.00%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7478      +/-   ##
==========================================
- Coverage   66.19%   66.18%   -0.02%     
==========================================
  Files         597      597              
  Lines       60387    60391       +4     
  Branches     6193     6192       -1     
==========================================
- Hits        39974    39968       -6     
- Misses      20413    20423      +10     

Flag	Coverage Δ
	66.18% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[animedbz16]

Spoke with @SarahBocognano and @marieflorescontact in Slack on whether or not test need to be added since the CodeCov report was complaining that the code I have added is not being tested, but it appears that most of the provider.js code does not have any related tests and was mentioned that it is likely acceptable to not add tests within this PR since there the provider.js tests likely would be added holistically at some future point in time.

I have refactored the code slightly to ensure that the id_token is not decoded unless any of the userinfo attributes do not exist and then attempt to obtain them from the decoded id_token, so the code I have added should be bypassed entirely unless the userinfo data does not exist.

[richard-julien]

Hi @animedbz16,
Can you change your PR to check a boolean in the mapped config instead of testing if the attributes are empty?
Something like

if (mappedConfig.get_basic_info_from_token === true) {
   const decodedIdToken = jwtDecode(tokenset.id_token);
   name = decodedIdToken[nameAttribute];
   email = decodedIdToken[emailAttribute];
   firstname = decodedIdToken[firstnameAttribute];
   lastname = ldecodedIdToken[lastnameAttribute];
} 

Thanks

[animedbz16]

Yes, I will look to make those updates to support a new config / environment variable and default this to false since this would require the user to explicitly configure this true to enable this behavior and if not continue to function as it does today.

[animedbz16]

@richard-julien I refactored this to add a get_user_attributes_from_id_token configuration value and utilize the decrypted id_token if this is set otherwise to use the userinfo object.

Let me know if there is anything else that would need to be done here. I assume another PR would likely need to be created to document this new configuration option once it is approved / merged.