authelia: include profile/email/groups claims in id_token for OIDC clients#758
Open
cyberb wants to merge 2 commits into
Open
authelia: include profile/email/groups claims in id_token for OIDC clients#758cyberb wants to merge 2 commits into
cyberb wants to merge 2 commits into
Conversation
…istered OIDC clients Authelia 4.39 returns standard claims (email, name, groups, ...) only from the userinfo endpoint by default. OIDC clients that read identity from the id_token (e.g. Moodle's auth_oidc) therefore cannot provision users or read groups. Add a 'syncloud' claims policy that surfaces those claims in the id_token and apply it to every dynamically registered client. Backwards compatible: existing apps simply receive extra id_token claims (harmless); no golib or registration API change required.
The testapp OIDC fixture preferred the /userinfo endpoint, so the UI test passed regardless of what the id_token contained and could not prove the claims_policy change. Read preferred_username, email and groups strictly from the id_token (dropping the userinfo round trip), request the groups scope, and assert those claims in the Playwright OIDC test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Authelia 4.39 returns standard claims (email/name/groups) only from the userinfo endpoint. OIDC clients that read identity from the id_token (Moodle's auth_oidc) can't provision users or read groups. This adds a 'syncloud' claims policy that puts those claims in the id_token and applies it to every registered client.
Backwards compatible: existing apps just receive extra id_token claims (harmless). Template-only change; no golib or registration-API change. Platform config unit tests pass.