broker: use /userinfo as fallback for claims not available in id token

Fixes [#1440](#1440).

This uses the information retrieved from /userinfo endpoint as a fallback for claims not available in id token.

This only affects the generic oidc broker, for ms entra id, we simple drop the information retrieved from /userinfo.

I have verified both oidc and msentraid brokers with these changes, they both work fine.

Signed-off-by: Shiv Tyagi <shivtyagi3015@gmail.com>

Author: shiv-tyagi

authd-oidc-brokers/internal/broker/broker.go

@@ -709,7 +709,7 @@ func (b *Broker) deviceAuth(ctx context.Context, session *session) (string, isAu
 		return AuthDenied, unexpectedErrMsg("could not get provider metadata")
 	}
 
-	authInfo.UserInfo, err = b.userInfoFromIDToken(ctx, session, rawIDToken)
+	authInfo.UserInfo, err = b.userInfo(ctx, session, t)
 	if err != nil {
 		log.Errorf(context.Background(), "could not get user info: %s", err)
 		return AuthDenied, errorMessageForDisplay(err, "Could not get user info")
@@ -1147,7 +1147,7 @@ func (b *Broker) refreshToken(ctx context.Context, session *session, oldToken *t
 	t.ProviderMetadata = oldToken.ProviderMetadata
 	t.DeviceRegistrationData = oldToken.DeviceRegistrationData
 
-	t.UserInfo, err = b.userInfoFromIDToken(ctx, session, rawIDToken)
+	t.UserInfo, err = b.userInfo(ctx, session, t.Token)
 	if err != nil {
 		return nil, err
 	}
@@ -1157,16 +1157,28 @@ func (b *Broker) refreshToken(ctx context.Context, session *session, oldToken *t
 	return t, nil
 }
 
-// userInfoFromIDToken verifies and parses the raw ID token and returns the user info from it.
+// userInfo verifies and parses the raw ID token and returns the user info from it.
+// It also fetches additional claims from the /userinfo endpoint as a fallback for fields not present in the ID token,
+// with ID token claims taking precedence over userinfo claims.
 // Note that verifying the ID token requires a working network connection to the provider's JWKs endpoint,
 // so make sure to only call this function if the session is online.
-func (b *Broker) userInfoFromIDToken(ctx context.Context, session *session, rawIDToken string) (info.User, error) {
+func (b *Broker) userInfo(ctx context.Context, session *session, token *oauth2.Token) (info.User, error) {
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return info.User{}, errors.New("token response does not contain an ID token")
+	}
+
 	idToken, err := session.oidcServer.Verifier(&b.oidcCfg).Verify(ctx, rawIDToken)
 	if err != nil {
 		return info.User{}, fmt.Errorf("could not verify token: %w", err)
 	}
 
-	userInfo, err := b.provider.GetUserInfo(idToken)
+	oidcUserInfo, err := session.oidcServer.UserInfo(ctx, oauth2.StaticTokenSource(token))
+	if err != nil {
+		log.Warningf(ctx, "could not fetch information from /userinfo endpoint: %v", err)
+	}
+
+	userInfo, err := b.provider.GetUserInfo(idToken, oidcUserInfo)
 	if err != nil {
 		return info.User{}, err
 	}

authd-oidc-brokers/internal/providers/genericprovider/genericprovider.go

@@ -3,6 +3,7 @@ package genericprovider
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"slices"
 	"strings"
@@ -48,8 +49,8 @@ func (p GenericProvider) GetMetadata(provider *oidc.Provider) (map[string]interf
 }
 
 // GetUserInfo is a no-op when no specific provider is in use.
-func (p GenericProvider) GetUserInfo(idToken info.Claimer) (info.User, error) {
-	userClaims, err := p.userClaims(idToken)
+func (p GenericProvider) GetUserInfo(idToken info.Claimer, oidcUserInfo info.Claimer) (info.User, error) {
+	userClaims, err := p.userClaims(idToken, oidcUserInfo)
 	if err != nil {
 		return info.User{}, err
 	}
@@ -109,13 +110,46 @@ type claims struct {
 	EmailVerified bool   `json:"email_verified"`
 }
 
-// userClaims returns the user claims parsed from the ID token.
-func (p GenericProvider) userClaims(idToken info.Claimer) (claims, error) {
-	var userClaims claims
-	if err := idToken.Claims(&userClaims); err != nil {
-		return claims{}, fmt.Errorf("failed to get ID token claims: %v", err)
+// userClaims returns the user claims parsed from idToken and oidcUserInfo.
+
+func (p GenericProvider) userClaims(idToken info.Claimer, oidcUserInfo info.Claimer) (claims, error) {
+	idMap := make(map[string]any)
+	if err := idToken.Claims(&idMap); err != nil {
+		return claims{}, fmt.Errorf("failed to get claims from ID token: %v", err)
+	}
+
+	infoMap := make(map[string]any)
+	if oidcUserInfo != nil {
+		_ = oidcUserInfo.Claims(&infoMap) // ignore error, as the /userinfo endpoint is a fallback
+	}
+
+	mergedClaims, err := mergeUserClaims(idMap, infoMap)
+	if err != nil {
+		return claims{}, err
+	}
+	return mergedClaims, nil
+}
+
+// mergeUserClaims merges id token and /userinfo claims, giving preference to idToken values.
+func mergeUserClaims(idTokenClaims, userInfoClaims map[string]any) (claims, error) {
+	merged := make(map[string]any, len(idTokenClaims)+len(userInfoClaims))
+	for k, v := range userInfoClaims {
+		merged[k] = v
+	}
+	for k, v := range idTokenClaims {
+		merged[k] = v
+	}
+
+	data, err := json.Marshal(merged)
+	if err != nil {
+		return claims{}, fmt.Errorf("failed to merge user claims: %v", err)
+	}
+
+	var c claims
+	if err := json.Unmarshal(data, &c); err != nil {
+		return claims{}, fmt.Errorf("failed to parse merged user claims: %v", err)
 	}
-	return userClaims, nil
+	return c, nil
 }
 
 // IsTokenExpiredError returns true if the reason for the error is that the refresh token is expired.

authd-oidc-brokers/internal/providers/genericprovider/genericprovider_test.go

@@ -16,13 +16,14 @@ func TestGetUserInfo(t *testing.T) {
 	t.Parallel()
 
 	tests := map[string]struct {
-		claims      map[string]interface{}
-		wantUser    info.User
-		wantErr     bool
-		wantErrType error
+		idTokenClaims  map[string]interface{}
+		userInfoClaims map[string]interface{}
+		wantUser       info.User
+		wantErr        bool
+		wantErrType    error
 	}{
 		"Successfully_get_user_info_with_all_fields": {
-			claims: map[string]interface{}{
+			idTokenClaims: map[string]interface{}{
 				"sub":            "sub123",
 				"email":          "user@example.com",
 				"email_verified": true,
@@ -33,7 +34,7 @@ func TestGetUserInfo(t *testing.T) {
 			wantUser: info.NewUser("user@example.com", "/home/user", "sub123", "/bin/bash", "Test User", nil),
 		},
 		"Successfully_get_user_info_with_minimal_fields": {
-			claims: map[string]interface{}{
+			idTokenClaims: map[string]interface{}{
 				"sub":            "sub123",
 				"email":          "user@example.com",
 				"email_verified": true,
@@ -42,53 +43,103 @@ func TestGetUserInfo(t *testing.T) {
 		},
 
 		"Error_when_sub_is_missing": {
-			claims: map[string]interface{}{
+			idTokenClaims: map[string]interface{}{
 				"email":          "user@example.com",
 				"email_verified": false,
 			},
 			wantErr: true,
 		},
 		"Error_when_email_is_missing": {
-			claims: map[string]interface{}{
+			idTokenClaims: map[string]interface{}{
 				"sub": "sub123",
 			},
 			wantErr: true,
 		},
-		"Error_when_email_verified_is_missing": {
-			claims: map[string]interface{}{
+		"Error_when_email_verified_is_missing_in_both": {
+			idTokenClaims: map[string]interface{}{
 				"sub":   "sub123",
 				"email": "user@example.com",
 			},
 			wantErr:     true,
 			wantErrType: &providerErrors.ForDisplayError{},
 		},
 		"Error_when_email_is_not_verified": {
-			claims: map[string]interface{}{
+			idTokenClaims: map[string]interface{}{
 				"email":          "user@example.com",
 				"sub":            "sub123",
 				"email_verified": false,
 			},
 			wantErr:     true,
 			wantErrType: &providerErrors.ForDisplayError{},
 		},
+		"idToken_email_verified_overrides_userinfo_false": {
+			idTokenClaims: map[string]interface{}{
+				"sub":            "sub123",
+				"email":          "user@example.com",
+				"email_verified": true,
+			},
+			userInfoClaims: map[string]interface{}{
+				"email_verified": false,
+			},
+			wantUser: info.NewUser("user@example.com", "", "sub123", "", "", nil),
+		},
+		"email_verified_missing_in_idToken_falls_back_to_userinfo": {
+			idTokenClaims: map[string]interface{}{
+				"sub":   "sub123",
+				"email": "user@example.com",
+			},
+			userInfoClaims: map[string]interface{}{
+				"email_verified": true,
+			},
+			wantUser: info.NewUser("user@example.com", "", "sub123", "", "", nil),
+		},
+		"extra_fields_from_userinfo_used_when_absent_in_idToken": {
+			idTokenClaims: map[string]interface{}{
+				"sub":            "sub123",
+				"email":          "user@example.com",
+				"email_verified": true,
+			},
+			userInfoClaims: map[string]interface{}{
+				"home":  "/home/frominfo",
+				"shell": "/bin/zsh",
+				"name":  "From UserInfo",
+			},
+			wantUser: info.NewUser("user@example.com", "/home/frominfo", "sub123", "/bin/zsh", "From UserInfo", nil),
+		},
+		"idToken_fields_take_precedence_over_userinfo": {
+			idTokenClaims: map[string]interface{}{
+				"sub":            "sub123",
+				"email":          "user@example.com",
+				"email_verified": true,
+				"home":           "/home/fromidtoken",
+				"shell":          "/bin/bash",
+				"name":           "From IDToken",
+			},
+			userInfoClaims: map[string]interface{}{
+				"home":  "/home/frominfo",
+				"shell": "/bin/zsh",
+				"name":  "From UserInfo",
+			},
+			wantUser: info.NewUser("user@example.com", "/home/fromidtoken", "sub123", "/bin/bash", "From IDToken", nil),
+		},
 	}
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
 			p := genericprovider.New()
-			mockToken := &mockIDToken{claims: tc.claims}
+			idToken := &mockIDToken{claims: tc.idTokenClaims}
+			userInfo := &mockIDToken{claims: tc.userInfoClaims}
 
-			user, err := p.GetUserInfo(mockToken)
+			user, err := p.GetUserInfo(idToken, userInfo)
 			t.Logf("GetUserInfo error: %v", err)
 
 			if tc.wantErr {
 				require.Error(t, err)
-				return
-			}
-			if tc.wantErrType != nil {
-				require.ErrorIs(t, err, tc.wantErrType)
+				if tc.wantErrType != nil {
+					require.ErrorAs(t, err, &tc.wantErrType)
+				}
 				return
 			}
 			require.NoError(t, err)

authd-oidc-brokers/internal/providers/msentraid/msentraid.go

@@ -119,7 +119,9 @@ func (p *Provider) GetMetadata(provider *oidc.Provider) (map[string]interface{},
 }
 
 // GetUserInfo returns the user info from the ID token.
-func (p *Provider) GetUserInfo(idToken info.Claimer) (info.User, error) {
+// The oidcUserInfo parameter is accepted for interface compatibility but is not used,
+// as MS Entra ID tokens are authoritative and contain all required claims.
+func (p *Provider) GetUserInfo(idToken info.Claimer, _ info.Claimer) (info.User, error) {
 	var err error
 
 	userClaims, err := p.userClaims(idToken)

authd-oidc-brokers/internal/providers/msentraid/msentraid_test.go

@@ -124,7 +124,7 @@ func TestGetUserInfo(t *testing.T) {
 
 			p := msentraid.New()
 
-			got, err := p.GetUserInfo(idToken)
+			got, err := p.GetUserInfo(idToken, &testIDToken{claims: "{}"})
 			if tc.wantErr {
 				require.Error(t, err, "GetUserInfo should return an error")
 				return

authd-oidc-brokers/internal/providers/providers.go

@@ -17,7 +17,7 @@ type Provider interface {
 	GetExtraFields(token *oauth2.Token) map[string]interface{}
 	GetMetadata(provider *oidc.Provider) (map[string]interface{}, error)
 
-	GetUserInfo(idToken info.Claimer) (info.User, error)
+	GetUserInfo(idToken info.Claimer, oidcUserInfo info.Claimer) (info.User, error)
 
 	GetGroups(
 		ctx context.Context,

authd-oidc-brokers/internal/testutils/provider.go

@@ -404,7 +404,7 @@ func (p *MockProvider) GetMetadata(provider *oidc.Provider) (map[string]interfac
 }
 
 // GetUserInfo returns the user info parsed from the ID token.
-func (p *MockProvider) GetUserInfo(idToken info.Claimer) (info.User, error) {
+func (p *MockProvider) GetUserInfo(idToken info.Claimer, _ info.Claimer) (info.User, error) {
 	userClaims, err := p.userClaims(idToken)
 	if err != nil {
 		return info.User{}, err