[Feature Request] Map header value to username

[KairuByte]

I've been testing Header Auth with Cloudflare Zero Trust, but I've run into an odd limitation. I have no way of setting what the header passes to Home Assistant. The only value that seems to be passed is the users email address.

Would it be possible to add a list of [header_value] => [username] translations, to account for such situations?

I'm thinking something along these lines:

auth_header:
  username_header: Cf-Access-Authenticated-User-Email
  username_mapping:
    - [email protected]: user1
    - [email protected]: user2
    - [email protected]: user2

[BeryJu]

I dont think this is something that should by done by the SSO client, I played around a bit and noticed that you can set the username to anything, so you could just set the username to the email addresses. Something I would be open to adding is a more general mutation option, like search+replace or regex replace

[cchance27]

Ran into this as well, any chance for some form of manipulation?

Edit: for now i've put the display-name as the emailaddress cloudflare is setting in Cf-Access-Authenticated-User-Email, it's still secure because its all behind the cloudflared tunnel

[KairuByte]

Manipulation would be fine with me as well. My main concern is that users can sign in with multiple services, resulting in different emails being associated with one user.

[cchance27]

True that is an issue realistically manipulation isn’t the solution you’d need some form of mapping on the HA side of valid emails to username mappings for the cloudflare case to support access from multiple login types