feat: add configurable userIdClaim for OIDC user identification

The OIDC user login ID is now configurable via the admin OIDC setup dialog (userIdClaim field). Supports dot-separated claim paths (e.g. 'email', 'preferred_username', 'custom.user_id'). Defaults to 'sub' for backwards compatibility. Throws if the configured claim is missing from the id_token. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 10:18:03 +02:00
parent 549dbaa322
commit a96cf2afed
5 changed files with 22 additions and 9 deletions
--- a/cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/OidcConfig.java
+++ b/cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/OidcConfig.java
@@ -13,6 +13,7 @@ import java.util.List;
 * @param defaultRoles      fallback roles for new users with no OIDC role claim
 * @param autoSignup        whether new OIDC users are automatically created on first login
 * @param displayNameClaim  dot-separated path to display name in the id_token (e.g. {@code name}, {@code preferred_username})
+ * @param userIdClaim       dot-separated path to user identifier in the id_token (default {@code sub}); e.g. {@code email}, {@code preferred_username}
 */
 public record OidcConfig(
        boolean enabled,
@@ -22,9 +23,10 @@ public record OidcConfig(
        String rolesClaim,
        List<String> defaultRoles,
        boolean autoSignup,
-        String displayNameClaim
+        String displayNameClaim,
+        String userIdClaim
 ) {
    public static OidcConfig disabled() {
-        return new OidcConfig(false, "", "", "", "roles", List.of("VIEWER"), true, "name");
+        return new OidcConfig(false, "", "", "", "roles", List.of("VIEWER"), true, "name", "sub");
    }
 }