fix: omit empty user info values

feat: add user info claims to id token
2026-03-03 05:12:03 +00:00 · 2026-03-02 16:00:24 +02:00 · 2026-03-02 15:30:18 +02:00
1 changed files with 36 additions and 14 deletions
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -41,11 +41,15 @@ var (
 )
 type ClaimSet struct {
-	Iss string `json:"iss"`
+	Iss               string   `json:"iss"`
-	Aud string `json:"aud"`
+	Aud               string   `json:"aud"`
-	Sub string `json:"sub"`
+	Sub               string   `json:"sub"`
-	Iat int64  `json:"iat"`
+	Iat               int64    `json:"iat"`
-	Exp int64  `json:"exp"`
+	Exp               int64    `json:"exp"`
 	Name              string   `json:"name,omitempty"`
 	Email             string   `json:"email,omitempty"`
 	PreferredUsername string   `json:"preferred_username,omitempty"`
 	Groups            []string `json:"groups,omitempty"`
 }
 type UserinfoResponse struct {
@@ -53,7 +57,7 @@ type UserinfoResponse struct {
 	Name              string   `json:"name"`
 	Email             string   `json:"email"`
 	PreferredUsername string   `json:"preferred_username"`
-	Groups            []string `json:"groups"`
+	Groups            []string `json:"groups,omitempty"`
 	UpdatedAt         int64    `json:"updated_at"`
 }
@@ -349,7 +353,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
 	return oidcCode, nil
 }
-func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub string) (string, error) {
+func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
@@ -367,12 +371,18 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 		return "", err
 	}
 	userInfo := service.CompileUserinfo(user, scope)
 	claims := ClaimSet{
-		Iss: service.issuer,
+		Iss:               service.issuer,
-		Aud: client.ClientID,
+		Aud:               client.ClientID,
-		Sub: sub,
+		Sub:               user.Sub,
-		Iat: createdAt,
+		Iat:               createdAt,
-		Exp: expiresAt,
+		Exp:               expiresAt,
 		Name:              userInfo.Name,
 		Email:             userInfo.Email,
 		PreferredUsername: userInfo.PreferredUsername,
 		Groups:            userInfo.Groups,
 	}
 	payload, err := json.Marshal(claims)
@@ -397,7 +407,13 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 }
 func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OIDCClientConfig, sub string, scope string) (TokenResponse, error) {
-	idToken, err := service.generateIDToken(client, sub)
+	user, err := service.GetUserinfo(c, sub)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(client, user, scope)
 	if err != nil {
 		return TokenResponse{}, err
@@ -456,9 +472,15 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		return TokenResponse{}, ErrInvalidClient
 	}
 	user, err := service.GetUserinfo(c, entry.Sub)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(config.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, entry.Sub)
+	}, user, entry.Scope)
 	if err != nil {
 		return TokenResponse{}, err
Author	SHA1	Message	Date
Stavros	34c035e855	fix: omit empty user info values	2026-03-02 16:00:24 +02:00
Stavros	fcc56b2ce5	feat: add user info claims to id token	2026-03-02 15:30:18 +02:00