feat: add configurable userIdClaim for OIDC user identification

The OIDC user login ID is now configurable via the admin OIDC setup dialog (userIdClaim field). Supports dot-separated claim paths (e.g. 'email', 'preferred_username', 'custom.user_id'). Defaults to 'sub' for backwards compatibility. Throws if the configured claim is missing from the id_token. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 10:18:03 +02:00
parent 549dbaa322
commit a96cf2afed
5 changed files with 22 additions and 9 deletions
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -104,13 +104,20 @@ public class OidcTokenExchanger {

        JWTClaimsSet claims = getJwtProcessor(config.issuerUri()).process(idTokenStr, null);

-        String subject = claims.getSubject();
+        String userIdClaim = config.userIdClaim() != null && !config.userIdClaim().isBlank()
+                ? config.userIdClaim() : "sub";
+        String subject = "sub".equals(userIdClaim)
+                ? claims.getSubject()
+                : extractStringClaim(claims, userIdClaim);
+        if (subject == null || subject.isBlank()) {
+            throw new IllegalStateException("OIDC id_token missing user ID claim: " + userIdClaim);
+        }
        String email = claims.getStringClaim("email");
        String name = extractStringClaim(claims, config.displayNameClaim());

        List<String> roles = extractRoles(claims, config.rolesClaim());

-        log.info("OIDC user authenticated: sub={}, email={}", subject, email);
+        log.info("OIDC user authenticated: id={}, email={}", subject, email);
        return new OidcUserInfo(subject, email != null ? email : "", name != null ? name : "", roles, idTokenStr);
    }