Skip to content

Commit 6517df9

Browse files
scottmckendryscottmckendry
committed
add claims back to userinfo
1 parent b830aaf commit 6517df9

1 file changed

Lines changed: 16 additions & 12 deletions

File tree

internal/service/oidc_service.go

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -444,7 +444,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client
444444
return oidcCode, nil
445445
}
446446

447-
func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, nonce string) (string, error) {
447+
func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
448448
createdAt := time.Now().Unix()
449449
expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
450450

@@ -473,16 +473,20 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
473473
return "", err
474474
}
475475

476-
// Per OIDC Core §5.4: for code flow, scope-requested claims (profile, email)
477-
// belong in the userinfo response only. The id_token carries only the required
478-
// JWT claims (iss, aud, sub, iat, exp) plus nonce.
476+
userInfo := service.CompileUserinfo(user, scope)
477+
479478
claims := ClaimSet{
480-
Iss: service.issuer,
481-
Aud: client.ClientID,
482-
Sub: user.Sub,
483-
Iat: createdAt,
484-
Exp: expiresAt,
485-
Nonce: nonce,
479+
Iss: service.issuer,
480+
Aud: client.ClientID,
481+
Sub: user.Sub,
482+
Iat: createdAt,
483+
Exp: expiresAt,
484+
Name: userInfo.Name,
485+
Email: userInfo.Email,
486+
EmailVerified: userInfo.EmailVerified,
487+
PreferredUsername: userInfo.PreferredUsername,
488+
Groups: userInfo.Groups,
489+
Nonce: nonce,
486490
}
487491

488492
payload, err := json.Marshal(claims)
@@ -513,7 +517,7 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
513517
return TokenResponse{}, err
514518
}
515519

516-
idToken, err := service.generateIDToken(client, user, codeEntry.Nonce)
520+
idToken, err := service.generateIDToken(client, user, codeEntry.Scope, codeEntry.Nonce)
517521

518522
if err != nil {
519523
return TokenResponse{}, err
@@ -581,7 +585,7 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
581585

582586
idToken, err := service.generateIDToken(config.OIDCClientConfig{
583587
ClientID: entry.ClientID,
584-
}, user, entry.Nonce)
588+
}, user, entry.Scope, entry.Nonce)
585589

586590
if err != nil {
587591
return TokenResponse{}, err

0 commit comments

Comments
 (0)