From 0c77f8d59413a54e950ea9b41ccc7fdbf461bab9 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 10:19:38 +0200
Subject: [PATCH] feat: add User ID Claim field to OIDC admin config UI

New input in the Claim Mapping section lets admins configure which
id_token claim is used as the unique user identifier (default: sub).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ui/src/api/schema.d.ts                |  2 ++
 ui/src/pages/Admin/OidcConfigPage.tsx | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/ui/src/api/schema.d.ts b/ui/src/api/schema.d.ts
index 7a0704fe..8ed5d579 100644
--- a/ui/src/api/schema.d.ts
+++ b/ui/src/api/schema.d.ts
@@ -1444,6 +1444,7 @@ export interface components {
             defaultRoles?: string[];
             autoSignup?: boolean;
             displayNameClaim?: string;
+            userIdClaim?: string;
         };
         /** @description Error response */
         ErrorResponse: {
@@ -1460,6 +1461,7 @@ export interface components {
             defaultRoles?: string[];
             autoSignup?: boolean;
             displayNameClaim?: string;
+            userIdClaim?: string;
         };
         UpdateGroupRequest: {
             name?: string;
diff --git a/ui/src/pages/Admin/OidcConfigPage.tsx b/ui/src/pages/Admin/OidcConfigPage.tsx
index 6ee52e14..4f765297 100644
--- a/ui/src/pages/Admin/OidcConfigPage.tsx
+++ b/ui/src/pages/Admin/OidcConfigPage.tsx
@@ -14,6 +14,7 @@ interface OidcFormData {
   clientSecret: string;
   rolesClaim: string;
   displayNameClaim: string;
+  userIdClaim: string;
   defaultRoles: string[];
 }
 
@@ -25,6 +26,7 @@ const EMPTY_CONFIG: OidcFormData = {
   clientSecret: '',
   rolesClaim: 'roles',
   displayNameClaim: 'name',
+  userIdClaim: 'sub',
   defaultRoles: ['VIEWER'],
 };
 
@@ -47,6 +49,7 @@ export default function OidcConfigPage() {
         clientSecret: data.clientSecret ?? '',
         rolesClaim: data.rolesClaim ?? 'roles',
         displayNameClaim: data.displayNameClaim ?? 'name',
+        userIdClaim: data.userIdClaim ?? 'sub',
         defaultRoles: data.defaultRoles ?? ['VIEWER'],
       }))
       .catch(() => setForm(EMPTY_CONFIG));
@@ -184,6 +187,13 @@ export default function OidcConfigPage() {
             onChange={(e) => update('rolesClaim', e.target.value)}
           />
         </FormField>
+        <FormField label="User ID Claim" htmlFor="userid-claim" hint="Claim used as unique user identifier (default: sub)">
+          <Input
+            id="userid-claim"
+            value={form.userIdClaim}
+            onChange={(e) => update('userIdClaim', e.target.value)}
+          />
+        </FormField>
         <FormField label="Display Name Claim" htmlFor="name-claim" hint="Claim used for user display name">
           <Input
             id="name-claim"