source-academy · RichDom2185 · Mar 2, 2026 · Feb 19, 2026 · Mar 1, 2026 · Mar 1, 2026
diff --git a/.tool-versions b/.tool-versions
@@ -1,2 +1,2 @@
-elixir 1.19.5
+elixir 1.19.5-otp-28
 erlang 28.3.1
diff --git a/lib/cadet/auth/providers/openid/nus_entra_id_claim_extractor.ex b/lib/cadet/auth/providers/openid/nus_entra_id_claim_extractor.ex
@@ -0,0 +1,38 @@
+defmodule Cadet.Auth.Providers.NusEntraIdClaimExtractor do
+  @moduledoc """
+  Extracts fields from NUS' Microsoft Entra ID JWTs.
+  """
+
+  @behaviour Cadet.Auth.Providers.OpenID.ClaimExtractor
+
+  def get_username(claims, access_token) do
+    get_userinfo(claims, "samAccountName")
+  end
+
+  def get_name(claims, access_token) do
+    get_userinfo(claims, "displayName")
+  end
+
+  def get_token_type, do: "id_token"
+
+  # Allowed Active Directory (AD) domains; modify as needed
+  @allowed_domains ~w(student alum staff)
+
+  defp check_allowed_domain(claims) do
+    domain = Map.get(claims, "ExtensionAttribute6")
+    domain in @allowed_domains
+  end
+
+  defp map_key_to_raw(key), do: key
+
+  defp get_userinfo(claims, key) do
+    with true <- check_allowed_domain(claims),
+         mapped_key <- map_key_to_raw(key),
+         value when not is_nil(value) <- Map.get(claims, mapped_key) do
+      value
+    else
+      false -> nil
+      _ -> nil
+    end
+  end
+end