fix(idp): do not call userinfo when mapping from ID token is configured (#7696)

* fix(idp): do not call userinfo when mapping from ID token is configured This change prevents the call of the Userinfo endpoint of a OIDC IDP if the IDP is configured to use the ID token for user information instead. A unit test has been added to confirm the corrected behavior. Closes #7373 * video for e2e --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:47:33 +00:00 · 2024-04-04 08:41:44 +03:00
parent f862e43ede
commit 9b3f3e4cd9
2 changed files with 79 additions and 11 deletions
--- a/internal/idp/providers/oidc/session.go
+++ b/internal/idp/providers/oidc/session.go
@@ -38,17 +38,20 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 			return nil, err
 		}
 	}
-	info, err := rp.Userinfo[*oidc.UserInfo](ctx,
-		s.Tokens.AccessToken,
-		s.Tokens.TokenType,
-		s.Tokens.IDTokenClaims.GetSubject(),
-		s.Provider.RelyingParty,
-	)
-	if err != nil {
-		return nil, err
-	}
+
+	var info *oidc.UserInfo
 	if s.Provider.useIDToken {
 		info = s.Tokens.IDTokenClaims.GetUserInfo()
+	} else {
+		info, err = rp.Userinfo[*oidc.UserInfo](ctx,
+			s.Tokens.AccessToken,
+			s.Tokens.TokenType,
+			s.Tokens.IDTokenClaims.GetSubject(),
+			s.Provider.RelyingParty,
+		)
+		if err != nil {
+			return nil, err
+		}
 	}
 	u := s.Provider.userInfoMapper(info)
 	return u, nil