OIDC: Admin group mapping not working / token auth method ignored / claims not being read from userinfo endpoint #807
Description
When setting up OIDC using the new environment variables, i noticed a couple issues. For context, i am using Authelia and configured these environment variables:
SPARKY_FITNESS_DISABLE_EMAIL_LOGIN=true
SPARKY_FITNESS_OIDC_AUTH_ENABLED=true
SPARKY_FITNESS_OIDC_ISSUER_URL="https://authelia.example.com"
SPARKY_FITNESS_OIDC_CLIENT_ID="sparky"
SPARKY_FITNESS_OIDC_CLIENT_SECRET="secret"
SPARKY_FITNESS_OIDC_PROVIDER_SLUG="authelia"
SPARKY_FITNESS_OIDC_PROVIDER_NAME="Authelia"
SPARKY_FITNESS_OIDC_AUTO_REGISTER=true
SPARKY_FITNESS_OIDC_SCOPE="openid groups email profile"
SPARKY_FITNESS_OIDC_ADMIN_GROUP="sparky_admin"
SPARKY_FITNESS_OIDC_TOKEN_AUTH_METHOD="client_secret_post"- The
SPARKY_FITNESS_OIDC_TOKEN_AUTH_METHODseems to be completely ignored.
The docs mention, it defaults toclient_secret_post, but in fact it seems to always beclient_secret_basic.
Setting the env variable as above will make the login fail sinceclient_secret_basicis used, when Authelia expectsclient_secret_post:
Mar 01 16:07:52 homeserver authelia[222903]: time="2026-03-01T16:07:52+01:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_basic', however the OAuth 2.0 client registration does not allow this method.
- claims don't seem to be read from the userinfo endpoint.
Currently SparkyFitness seems to only extract claims from the id token.
OIDC providers such as Authelia will not hydrate the id token with all claims by default as those should be read from the userinfo endpoint. As a result the login will just show an error:
In order for the claims such as email to be extracted correctly, one has to currently use a workaround, e.g. defining a custom claims policy in Authelia:
identity_providers:
oidc:
claims_policies:
sparky:
id_token:
- email
- preferred_username
- name
- groups - The claim based admin role mapping seems to also be ignored.
The first registered user will be made admin, any other user logging in after that will not be made admin, even if thegroupsclaim will containsparky_adminin my case.
The syncUserGroups function is imported here, but it doesn't seem to be invoked anywhere. Can only find usage of it in the tests.