feat(server): support IDPs that only send the userinfo in the ID token (#26717)

Co-authored-by: irouply <irouply@secom.fr> Co-authored-by: Daniel Dietzler <mail@ddietzler.dev>
2026-03-22 09:00:58 +03:00 · 2026-03-13 22:14:45 +01:00
parent 10fa928abe
commit 55513cd59f
3 changed files with 54 additions and 5 deletions
--- a/e2e-auth-server/auth-server.ts
+++ b/e2e-auth-server/auth-server.ts
@@ -10,6 +10,7 @@ export enum OAuthClient {
 export enum OAuthUser {
  NO_EMAIL = 'no-email',
  NO_NAME = 'no-name',
+  ID_TOKEN_CLAIMS = 'id-token-claims',
  WITH_QUOTA = 'with-quota',
  WITH_USERNAME = 'with-username',
  WITH_ROLE = 'with-role',
@@ -52,12 +53,25 @@ const withDefaultClaims = (sub: string) => ({
  email_verified: true,
 });

-const getClaims = (sub: string) => claims.find((user) => user.sub === sub) || withDefaultClaims(sub);
+const getClaims = (sub: string, use?: string) => {
+  if (sub === OAuthUser.ID_TOKEN_CLAIMS) {
+    return {
+      sub,
+      email: `oauth-${sub}@immich.app`,
+      email_verified: true,
+      name: use === 'id_token' ? 'ID Token User' : 'Userinfo User',
+    };
+  }
+  return claims.find((user) => user.sub === sub) || withDefaultClaims(sub);
+};

 const setup = async () => {
  const { privateKey, publicKey } = await generateKeyPair('RS256');

-  const redirectUris = ['http://127.0.0.1:2285/auth/login', 'https://photos.immich.app/oauth/mobile-redirect'];
+  const redirectUris = [
+    'http://127.0.0.1:2285/auth/login',
+    'https://photos.immich.app/oauth/mobile-redirect',
+  ];
  const port = 2286;
  const host = '0.0.0.0';
  const oidc = new Provider(`http://${host}:${port}`, {
@@ -66,7 +80,10 @@ const setup = async () => {
      console.error(error);
      ctx.body = 'Internal Server Error';
    },
-    findAccount: (ctx, sub) => ({ accountId: sub, claims: () => getClaims(sub) }),
+    findAccount: (ctx, sub) => ({
+      accountId: sub,
+      claims: (use) => getClaims(sub, use),
+    }),
    scopes: ['openid', 'email', 'profile'],
    claims: {
      openid: ['sub'],
@@ -94,6 +111,7 @@ const setup = async () => {
        state: 'oidc.state',
      },
    },
+    conformIdTokenClaims: false,
    pkce: {
      required: () => false,
    },
@@ -125,7 +143,10 @@ const setup = async () => {
    ],
  });

-  const onStart = () => console.log(`[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`);
+  const onStart = () =>
+    console.log(
+      `[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`,
+    );
  const app = oidc.listen(port, host, onStart);
  return () => app.close();
 };