feat: add adfs fallback to match upn or unique_name

Author: vishnurk6247

wavefront/server/modules/user_management_module/user_management_module/controllers/auth_plugin_controller.py

@@ -34,6 +34,7 @@
 
 from authenticator import AuthenticatorType
 from authenticator.helper import validate_email
+from authenticator.microsoft_adfs import MicrosoftADFSAuthenticator
 
 
 auth_plugin_router = APIRouter()
@@ -573,6 +574,28 @@ def get_failure_redirect(error_msg: str) -> RedirectResponse:
         user = await user_repository.find_one(email=ui.email)
         if user is None and ui.email:
             user = await user_repository.find_one(username=ui.email.lower())
+
+        # ADFS fallback: when the email lookup fails (even though an email was
+        # present in the id_token), retry using the upn and unique_name claims.
+        # These claims carry raw values like ``DOMAIN\userid`` or
+        # ``userid@domain``; the stored username is just the bare id, so the
+        # identifier must be extracted from the claim before matching.
+        if user is None and isinstance(authenticator, MicrosoftADFSAuthenticator):
+            for candidate in (ui.upn, ui.unique_name):
+                identifier = authenticator.extract_identifier_from_claim(candidate)
+                if not identifier:
+                    continue
+                identifier = identifier.lower()
+                user = await user_repository.find_one(username=identifier)
+                if user is not None:
+                    logger.debug(
+                        '_handle_oauth_callback: ADFS fallback matched user via '
+                        'claim=%s identifier=%s',
+                        candidate,
+                        identifier,
+                    )
+                    break
+
         logger.debug(
             '_handle_oauth_callback: user lookup by identifier=%s found=%s deleted=%s',
             ui.email,

wavefront/server/plugins/authenticator/authenticator/microsoft_adfs/authenticator.py

@@ -333,6 +333,17 @@ def _exchange_code_for_token(
                 None,
             )
 
+    def extract_identifier_from_claim(self, value: Optional[str]) -> Optional[str]:
+        """Public wrapper around identifier extraction for upn/unique_name claims.
+
+        Lets callers (e.g. the auth controller) resolve the bare user id stored
+        as a username from a raw ``upn``/``unique_name`` claim value such as
+        ``DOMAIN\\userid`` or ``userid@domain``.
+        """
+        if not value:
+            return None
+        return self._extract_identifier_from_claim(value)
+
     def _extract_identifier_from_claim(self, value: str) -> Optional[str]:
         """Pull the user identifier out of a raw UPN or unique_name string.