Allow Custom oidc.userIdentifier field #1363
Description
Description
When using a custom scope for the userIdentifier in the OIDC config it fails because the retrived values are hard coded in oidc.go and will therefor not work. Was trying to use the common given_name as userIdentifier but it failed.
Expected behaviour
I would expect it to be able to receive and use every custom scope the OIDC provider can provide.
What is happening instead?
You are met with this when trying to login:
{"status":500,"message":"no valid username found in ID token or UserInfo response from claims"}
and the debug logs say this:
2025/10/15 20:18:26 [INFO ] write.go:261: GET | 302 | REDACTED_IP:43478 | N/A | 0ms | "/api/auth/oidc/login?redirect=%2Ffiles%2F"
2025/10/15 20:18:26 [DEBUG] oidc.go:185: ID token found in token response, attempting verification.
2025/10/15 20:18:26 [DEBUG] oidc.go:202: ID Token verified and claims decoded: {Name:REDACTED_NAME PreferredUsername:REDACTED_PREF_USERNAME Username: Email:REDACTED_EMAIL Sub:6285bff64df919759532646e38e106cf320ff20ef024bf1371559be6c5c636c5 Phone: Groups:[REDACTED_LIST_OF_GROUPS]}
2025/10/15 20:18:26 [ERROR] write.go:261: GET | 500 | REDACTED_IP:43478 | N/A | 498ms | "/api/auth/oidc/callback?code=35c51f2d99e84b24ad2dbd3db0bd629e&state=qhhg4k0wj4x3tlsm%3A%2Ffiles%2F"
Additional context
What I can determin from the file oidc.go it only allows some pre-determined values.
How to reproduce?
Set the config setting auth.methods.oidc.userIdentifier equal to something else then the hardcoded alternative, i.e given_name and then try to login.
Files
Metadata
Metadata
Assignees
Labels
Projects
Status