Add ability to configure custom email and username claims

This will help customers support active directory-based OIDC

oauth/oidc.py

@@ -167,13 +167,32 @@ class OIDCLoginService(OAuthService):
       raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint')
 
     # Check if we have a verified email address.
-    email_address = user_info.get('email') if user_info.get('email_verified') else None
+    if self.config.get('VERIFIED_EMAIL_CLAIM_NAME'):
+      email_address = user_info.get(self.config['VERIFIED_EMAIL_CLAIM_NAME'])
+    else:
+      email_address = user_info.get('email') if user_info.get('email_verified') else None
+
+    logger.debug('Found e-mail address `%s` for sub `%s`', email_address, user_info['sub'])
     if self._mailing:
       if email_address is None:
         raise OAuthLoginException('A verified email address is required to login with this service')
 
     # Check for a preferred username.
-    lusername = user_info.get('preferred_username') or user_info.get('sub')
+    if self.config.get('PREFERRED_USERNAME_CLAIM_NAME'):
+      lusername = user_info.get(self.config['PREFERRED_USERNAME_CLAIM_NAME'])
+    else:
+      lusername = user_info.get('preferred_username')
+      if lusername is None:
+        # Note: Active Directory provides `unique_name` and `upn`.
+        # https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
+        lusername = user_info.get('unique_name', user_info.get('upn'))
+
+    if lusername is None:
+      lusername = user_info['sub']
+
+    if lusername.find('@') >= 0:
+      lusername = lusername[0:lusername.find('@')]
+
     return decoded_id_token['sub'], lusername, email_address
 
   @property