Merge pull request #1041 from nextcloud/enh/1034/userinfo-data-for-provisioning

julien-nc · web-flow · commit 1f88b292aef4 · 2025-04-28T10:38:49.000+02:00
Call userinfo on login to enrich the login ID token
diff --git a/README.md b/README.md
@@ -86,6 +86,21 @@ To change this behaviour and disable the default claims, you can change this val
 When default claims are disabled, each claim will be asked for only if there is an attribute explicitely mapped
 in the OpenId client settings (in Nextcloud's admin settings).
 
+### Call the userinfo endpoint to enrich the login ID token
+
+If some user information is not in your login ID tokens but can be obtained with the userinfo endpoint, just enable
+`enrich_login_id_token_with_userinfo` in config.php. This is disabled by default.
+``` php
+'user_oidc' => [
+    'enrich_login_id_token_with_userinfo' => true,
+],
+```
+
+This will use the content of the userinfo endpoint response just like if it had been included in the login ID token.
+
+This will only work on login and not when validating a bearer token
+because provisioning when validating a bearer access token is not supported yet.
+
 ### ID4me option
 ID4me is an application setting switch which is configurable as normal Nextcloud app setting:
 ```
diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -22,6 +22,7 @@
 use OCA\UserOIDC\Event\TokenObtainedEvent;
 use OCA\UserOIDC\Service\DiscoveryService;
 use OCA\UserOIDC\Service\LdapService;
+use OCA\UserOIDC\Service\OIDCService;
 use OCA\UserOIDC\Service\ProviderService;
 use OCA\UserOIDC\Service\ProvisioningService;
 use OCA\UserOIDC\Service\TokenService;
@@ -85,6 +86,7 @@ public function __construct(
 		private LoggerInterface $logger,
 		private ICrypto $crypto,
 		private TokenService $tokenService,
+		private OidcService $oidcService,
 	) {
 		parent::__construct($request, $config);
 	}
@@ -426,6 +428,17 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			$idTokenPayload = JWT::decode($idTokenRaw, $jwks);
 		}
 
+		// default is false
+		if (isset($oidcSystemConfig['enrich_login_id_token_with_userinfo']) && $oidcSystemConfig['enrich_login_id_token_with_userinfo']) {
+			$userInfo = $this->oidcService->userInfo($provider, $data['access_token']);
+			foreach ($userInfo as $key => $value) {
+				// give priority to id token values, only use userinfo ones if missing in id token
+				if (!isset($idTokenPayload->{$key})) {
+					$idTokenPayload->{$key} = $value;
+				}
+			}
+		}
+
 		$this->logger->debug('Parsed the JWT payload: ' . json_encode($idTokenPayload, JSON_THROW_ON_ERROR));
 
 		if ($idTokenPayload->exp < $this->timeFactory->getTime()) {
