fix(server): OIDC bug (#7061)

packages/backend/server/src/config/affine.env.ts

@@ -15,8 +15,13 @@ AFFiNE.ENV_MAP = {
   OAUTH_GOOGLE_CLIENT_SECRET: 'plugins.oauth.providers.google.clientSecret',
   OAUTH_GITHUB_CLIENT_ID: 'plugins.oauth.providers.github.clientId',
   OAUTH_GITHUB_CLIENT_SECRET: 'plugins.oauth.providers.github.clientSecret',
+  OAUTH_OIDC_ISSUER: 'plugins.oauth.providers.oidc.issuer',
   OAUTH_OIDC_CLIENT_ID: 'plugins.oauth.providers.oidc.clientId',
   OAUTH_OIDC_CLIENT_SECRET: 'plugins.oauth.providers.oidc.clientSecret',
+  OAUTH_OIDC_SCOPE: 'plugins.oauth.providers.oidc.args.scope',
+  OAUTH_OIDC_CLAIM_MAP_USERNAME: 'plugins.oauth.providers.oidc.args.claim_id',
+  OAUTH_OIDC_CLAIM_MAP_EMAIL: 'plugins.oauth.providers.oidc.args.claim_email',
+  OAUTH_OIDC_CLAIM_MAP_NAME: 'plugins.oauth.providers.oidc.args.claim_name',
   METRICS_CUSTOMER_IO_TOKEN: ['metrics.customerIo.token', 'string'],
   COPILOT_OPENAI_API_KEY: 'plugins.copilot.openai.apiKey',
   COPILOT_FAL_API_KEY: 'plugins.copilot.fal.apiKey',

packages/backend/server/src/plugins/oauth/providers/oidc.ts

@@ -23,12 +23,15 @@ const OIDCTokenSchema = z.object({
   token_type: z.string(),
 });
 
-const OIDCUserInfoSchema = z.object({
+const OIDCUserInfoSchema = z
-  id: z.string(),
+  .object({
-  email: z.string().email(),
+    sub: z.string(),
-  name: z.string(),
+    preferred_username: z.string(),
-  groups: z.array(z.string()).optional(),
+    email: z.string().email(),
-});
+    name: z.string(),
+    groups: z.array(z.string()).optional(),
+  })
+  .passthrough();
 
 type OIDCUserInfo = z.infer<typeof OIDCUserInfoSchema>;
 
@@ -62,7 +65,8 @@ class OIDCClient {
         });
       }
     }
-    return verifier.parse(response.json());
+    const data = await response.json();
+    return verifier.parse(data);
   }
 
   static async create(config: OAuthOIDCProviderConfig, url: URLHelper) {
@@ -135,16 +139,17 @@ class OIDCClient {
   }
 
   private mapUserInfo(
-    user: Record<string, any>,
+    user: OIDCUserInfo,
     claimsMap: Record<string, string>
-  ): OIDCUserInfo {
+  ): OAuthAccount {
-    const mappedUser: Partial<OIDCUserInfo> = {};
+    const mappedUser: Partial<OAuthAccount> = {};
     for (const [key, value] of Object.entries(claimsMap)) {
-      if (user[value] !== undefined) {
+      const claimValue = user[value];
-        mappedUser[key as keyof OIDCUserInfo] = user[value];
+      if (claimValue !== undefined) {
+        mappedUser[key as keyof OAuthAccount] = claimValue as string;
       }
     }
-    return mappedUser as OIDCUserInfo;
+    return mappedUser as OAuthAccount;
   }
 
   async userinfo(token: string) {