User identifier from id_token about symfony-oidc HOT 5 CLOSED

Maybe something like this would work? Get the data from the token and merge it with the existing data. Don't know if there are any edge cases (empty idtoken?) we would need to test.

 
  public function retrieveUserInfo(OidcTokens $tokens): OidcUserData
  {
    // Set the authorization header
    $headers = ["Authorization: Bearer {$tokens->getAccessToken()}"];

    // Retrieve the user information and convert the encoding to UTF-8 to harden for surfconext UTF-8 bug
    $jsonData = $this->urlFetcher->fetchUrl($this->getUserinfoEndpoint(), null, $headers);
    $jsonData = mb_convert_encoding($jsonData, 'UTF-8');

    // Read the data
    $userInfoData = json_decode($jsonData, true);

    // Get the data from the id_token
     $tokenData = $this->jwtHelper->decodeJwt($tokens->getIdToken(), 1);
     $tokenData = json_decode(json_encode($tokenData), true);
     $data = array_merge($tokenData, $userInfoData);
   
    // Check data due
    if (!is_array($data)) {
      throw new OidcException('Error retrieving the user info from the endpoint.');
    }

    return new OidcUserData($data);
  }

from symfony-oidc.

Well, what you're looking is indeed not possible with the current implementation, so you didn't miss something obvious. Only Microsoft did by leaving out the most important user information from the User Info endpoint 😄

To me option 1 seems best, as that would be the nicest point of integration in my opinion without processing the user info data. You can adjust the OidcAuthenticator to retrieve the $userIdentifier from either the $userData as it does now, or to retrieve it from the id token when configured. A new method to retrieve the identifier would be best.

I assume you still need access to the user info to be able to load the rest of the user information, right?

Are you up for a PR? You can look at how the userIdentifierProperty/user_identifier_property has been implemented, and adjust it for a new useIdTokenForUserIdentifier. The retrieval of the correct JWT part can be added to the OidcJwtHelper class, and maybe even refactor this line to use it: https://github.com/Drenso/symfony-oidc/blob/master/src/OidcClient.php#L445.

from symfony-oidc.

Hi Bob,

That seems like fun. I'll try a PR, I have time this Wednesday, so will look into it then.

Thanks,

Albert-Jan

from symfony-oidc.

Fixed with #38, thank you @stevensajw 👍🏻 (and tagged as 2.10.0)

from symfony-oidc.

Learned a lot, thank you :-)

from symfony-oidc.