feat(auth): OIDC userinfo fallback for email / email_verified #105
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#105
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
Carol's OIDC verification (#85 / ADR-0017) reads
emailandemail_verifiedexclusively from the id_token. Authentik (and several other IdPs) gate those claims behind a per-provider "Include claims in id_token" toggle — when off, the id_token carries only standard claims and verified-email lives only at the userinfo endpoint.A self-hoster running default Authentik who hasn't found and flipped that toggle hits
?error=oidc_claimwith the log lineid_token email_verified is not trueeven though their user IS verified and Authentik IS willing to attest it — just not on the id_token. The fix today is "find the right toggle in the IdP UI." That's friction we should absorb in code.Hit when deploying #85 against Authentik on
carol.int.wynning.tech: Authentik's JWT preview showedemail_verified: true, but the live id_token didn't carry the claim.Scope
verifyIdTokeninlib/auth/oidc-verify.tsto return{providerUserId, email?, emailVerified?}(no throws on missing email / email_verified). Signature + iss + aud + exp + nbf + nonce + sub checks stay.fetchUserinfo(args)helper inlib/auth/oidc-verify.ts. HTTPS, Beareraccess_token, 5s timeout, andsubmust match the id_token sub (OIDC §5.3.2 token-substitution defence). Returns{email?, emailVerified?}.extractProfileinlib/auth/oidc-providers.tsto orchestrate: verify id_token → if email or email_verified missing, fetch userinfo → merge → apply strictemail_verified === truecheck.tests/api/oauth.test.ts): id_token lacksemail_verified+ userinfo provides it → success; id_token lacks both → success; userinfo sub mismatch →oidc_claim; id_token lacks claim and no userinfo configured →oidc_claim.docs/oidc-self-hoster-guide.mdTroubleshooting entry for theoidc_claim+email_verifiedlog line, pointing at userinfo-endpoint configuration as one fix.Out of scope
email_verified === true. Still load-bearing (ADR-0015 §3).userinfo_endpoint-only IdPs (nosubclaim in userinfo) — we still require sub-match. Such IdPs are non-conformant with OIDC §5.3.Acceptance
A self-hoster running default Authentik on a user marked email-verified in the IdP gets
?error=oidc_claimto clear without changing any IdP setting, provideduserinfo_endpointresolves (via discovery or override).