fix(server): OIDC bug (#7061)

2026-02-11 20:08:37 +00:00 · 2024-05-28 12:19:37 +02:00
parent 40b35b7bc2
commit e417c4cd44
2 changed files with 23 additions and 13 deletions
--- a/packages/backend/server/src/config/affine.env.ts
+++ b/packages/backend/server/src/config/affine.env.ts
@@ -15,8 +15,13 @@ AFFiNE.ENV_MAP = {
  OAUTH_GOOGLE_CLIENT_SECRET: 'plugins.oauth.providers.google.clientSecret',
  OAUTH_GITHUB_CLIENT_ID: 'plugins.oauth.providers.github.clientId',
  OAUTH_GITHUB_CLIENT_SECRET: 'plugins.oauth.providers.github.clientSecret',
+  OAUTH_OIDC_ISSUER: 'plugins.oauth.providers.oidc.issuer',
  OAUTH_OIDC_CLIENT_ID: 'plugins.oauth.providers.oidc.clientId',
  OAUTH_OIDC_CLIENT_SECRET: 'plugins.oauth.providers.oidc.clientSecret',
+  OAUTH_OIDC_SCOPE: 'plugins.oauth.providers.oidc.args.scope',
+  OAUTH_OIDC_CLAIM_MAP_USERNAME: 'plugins.oauth.providers.oidc.args.claim_id',
+  OAUTH_OIDC_CLAIM_MAP_EMAIL: 'plugins.oauth.providers.oidc.args.claim_email',
+  OAUTH_OIDC_CLAIM_MAP_NAME: 'plugins.oauth.providers.oidc.args.claim_name',
  METRICS_CUSTOMER_IO_TOKEN: ['metrics.customerIo.token', 'string'],
  COPILOT_OPENAI_API_KEY: 'plugins.copilot.openai.apiKey',
  COPILOT_FAL_API_KEY: 'plugins.copilot.fal.apiKey',
--- a/packages/backend/server/src/plugins/oauth/providers/oidc.ts
+++ b/packages/backend/server/src/plugins/oauth/providers/oidc.ts
@@ -23,12 +23,15 @@ const OIDCTokenSchema = z.object({
  token_type: z.string(),
 });

-const OIDCUserInfoSchema = z.object({
-  id: z.string(),
-  email: z.string().email(),
-  name: z.string(),
-  groups: z.array(z.string()).optional(),
-});
+const OIDCUserInfoSchema = z
+  .object({
+    sub: z.string(),
+    preferred_username: z.string(),
+    email: z.string().email(),
+    name: z.string(),
+    groups: z.array(z.string()).optional(),
+  })
+  .passthrough();

 type OIDCUserInfo = z.infer<typeof OIDCUserInfoSchema>;

@@ -62,7 +65,8 @@ class OIDCClient {
        });
      }
    }
-    return verifier.parse(response.json());
+    const data = await response.json();
+    return verifier.parse(data);
  }

  static async create(config: OAuthOIDCProviderConfig, url: URLHelper) {
@@ -135,16 +139,17 @@ class OIDCClient {
  }

  private mapUserInfo(
-    user: Record<string, any>,
+    user: OIDCUserInfo,
    claimsMap: Record<string, string>
-  ): OIDCUserInfo {
-    const mappedUser: Partial<OIDCUserInfo> = {};
+  ): OAuthAccount {
+    const mappedUser: Partial<OAuthAccount> = {};
    for (const [key, value] of Object.entries(claimsMap)) {
-      if (user[value] !== undefined) {
-        mappedUser[key as keyof OIDCUserInfo] = user[value];
+      const claimValue = user[value];
+      if (claimValue !== undefined) {
+        mappedUser[key as keyof OAuthAccount] = claimValue as string;
      }
    }
-    return mappedUser as OIDCUserInfo;
+    return mappedUser as OAuthAccount;
  }

  async userinfo(token: string) {