feat(custom-oauth): add per-provider custom_claims_allowlist

Author: cemalkilic

internal/api/custom_oauth_admin.go

@@ -53,9 +53,11 @@ type AdminCustomOAuthProviderParams struct {
 	Scopes              []string               `json:"scopes"`
 	PKCEEnabled         *bool                  `json:"pkce_enabled,omitempty"`
 	AttributeMapping    map[string]interface{} `json:"attribute_mapping,omitempty"`
-	AuthorizationParams map[string]interface{} `json:"authorization_params,omitempty"`
-	Enabled             *bool                  `json:"enabled,omitempty"`
-	EmailOptional       *bool                  `json:"email_optional,omitempty"`
+	// CustomClaimsAllowlist lists raw IdP claim keys to copy verbatim into custom_claims.
+	CustomClaimsAllowlist []string               `json:"custom_claims_allowlist,omitempty"`
+	AuthorizationParams   map[string]interface{} `json:"authorization_params,omitempty"`
+	Enabled               *bool                  `json:"enabled,omitempty"`
+	EmailOptional         *bool                  `json:"email_optional,omitempty"`
 
 	// OIDC-specific fields
 	Issuer         string  `json:"issuer,omitempty"`
@@ -170,6 +172,11 @@ func (a *API) adminCustomOAuthProviderCreate(w http.ResponseWriter, r *http.Requ
 		return err
 	}
 
+	// Validate custom claims allowlist (non-empty source keys)
+	if err := validateCustomClaimsAllowlist(params.CustomClaimsAllowlist); err != nil {
+		return err
+	}
+
 	// Check quota if configured
 	if config.CustomOAuth.MaxProviders > 0 {
 		totalCount, err := models.CountCustomOAuthProviders(db)
@@ -278,6 +285,13 @@ func (a *API) adminCustomOAuthProviderUpdate(w http.ResponseWriter, r *http.Requ
 		}
 	}
 
+	// Validate custom claims allowlist if provided
+	if params.CustomClaimsAllowlist != nil {
+		if err := validateCustomClaimsAllowlist(params.CustomClaimsAllowlist); err != nil {
+			return err
+		}
+	}
+
 	// Read the existing provider outside the write transaction so the
 	// network call (discovery fetch) doesn't hold a transaction open.
 	provider, err := models.FindCustomOAuthProviderByIdentifier(db, identifier)
@@ -477,18 +491,19 @@ func buildProviderFromParams(params *AdminCustomOAuthProviderParams, providerTyp
 	// Generate ID upfront so it's available for client secret encryption (used as AAD)
 	id, _ := uuid.NewV4()
 	provider := &models.CustomOAuthProvider{
-		ID:                  id,
-		ProviderType:        providerType,
-		Identifier:          params.Identifier,
-		Name:                params.Name,
-		ClientID:            params.ClientID,
-		AcceptableClientIDs: popslices.String(params.AcceptableClientIDs),
-		Scopes:              popslices.String(params.Scopes),
-		PKCEEnabled:         getBoolOrDefault(params.PKCEEnabled, true),
-		AttributeMapping:    popslices.Map(params.AttributeMapping),
-		AuthorizationParams: popslices.Map(params.AuthorizationParams),
-		Enabled:             getBoolOrDefault(params.Enabled, true),
-		EmailOptional:       getBoolOrDefault(params.EmailOptional, false),
+		ID:                    id,
+		ProviderType:          providerType,
+		Identifier:            params.Identifier,
+		Name:                  params.Name,
+		ClientID:              params.ClientID,
+		AcceptableClientIDs:   popslices.String(params.AcceptableClientIDs),
+		Scopes:                popslices.String(params.Scopes),
+		PKCEEnabled:           getBoolOrDefault(params.PKCEEnabled, true),
+		AttributeMapping:      popslices.Map(params.AttributeMapping),
+		CustomClaimsAllowlist: popslices.String(params.CustomClaimsAllowlist),
+		AuthorizationParams:   popslices.Map(params.AuthorizationParams),
+		Enabled:               getBoolOrDefault(params.Enabled, true),
+		EmailOptional:         getBoolOrDefault(params.EmailOptional, false),
 	}
 
 	// Set type-specific fields
@@ -560,6 +575,9 @@ func updateProviderFromParams(provider *models.CustomOAuthProvider, params *Admi
 	if params.AttributeMapping != nil {
 		provider.AttributeMapping = popslices.Map(params.AttributeMapping)
 	}
+	if params.CustomClaimsAllowlist != nil {
+		provider.CustomClaimsAllowlist = popslices.String(params.CustomClaimsAllowlist)
+	}
 	if params.AuthorizationParams != nil {
 		provider.AuthorizationParams = popslices.Map(params.AuthorizationParams)
 	}
@@ -749,3 +767,18 @@ func validateAttributeMapping(mapping map[string]interface{}) error {
 	return nil
 }
 
+// validateCustomClaimsAllowlist ensures every allowlist entry is a non-empty
+// source claim key. Unlike attribute_mapping, these are opaque source keys
+// copied into custom_claims (not typed targets)
+func validateCustomClaimsAllowlist(allowlist []string) error {
+	for _, key := range allowlist {
+		if strings.TrimSpace(key) == "" {
+			return apierrors.NewBadRequestError(
+				apierrors.ErrorCodeValidationFailed,
+				"custom_claims_allowlist entries must be non-empty strings",
+			)
+		}
+	}
+
+	return nil
+}

internal/api/custom_oauth_admin_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	popslices "github.com/gobuffalo/pop/v6/slices"
-	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/gofrs/uuid"
+	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
@@ -596,6 +596,56 @@ func (ts *CustomOAuthAdminTestSuite) TestUpdateProvider() {
 	assert.Equal(ts.T(), popslices.String{"openid", "profile", "email"}, updated.Scopes)
 }
 
+func (ts *CustomOAuthAdminTestSuite) TestCustomClaimsAllowlistCreateUpdateGet() {
+	payload := ts.createTestOAuth2Payload("allowlist-provider")
+	payload["custom_claims_allowlist"] = []string{"groups", "org_id"}
+
+	w := ts.createProvider(payload, http.StatusCreated)
+
+	var created models.CustomOAuthProvider
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&created))
+	assert.Equal(ts.T(), popslices.String{"groups", "org_id"}, created.CustomClaimsAllowlist)
+
+	// PUT replaces the allowlist.
+	updatePayload := map[string]interface{}{
+		"custom_claims_allowlist": []string{"mail", "sn", "nlEduPersonProfileId"},
+	}
+	var body bytes.Buffer
+	require.NoError(ts.T(), json.NewEncoder(&body).Encode(updatePayload))
+
+	req := httptest.NewRequest(http.MethodPut, fmt.Sprintf("/admin/custom-providers/%s", created.Identifier), &body)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+	w = httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	require.Equal(ts.T(), http.StatusOK, w.Code)
+
+	var updated models.CustomOAuthProvider
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&updated))
+	assert.Equal(ts.T(), popslices.String{"mail", "sn", "nlEduPersonProfileId"}, updated.CustomClaimsAllowlist)
+
+	// GET returns the persisted allowlist.
+	req = httptest.NewRequest(http.MethodGet, fmt.Sprintf("/admin/custom-providers/%s", created.Identifier), nil)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+	w = httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	require.Equal(ts.T(), http.StatusOK, w.Code)
+
+	var fetched models.CustomOAuthProvider
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&fetched))
+	assert.Equal(ts.T(), popslices.String{"mail", "sn", "nlEduPersonProfileId"}, fetched.CustomClaimsAllowlist)
+}
+
+func (ts *CustomOAuthAdminTestSuite) TestCustomClaimsAllowlistRejectsEmptyEntries() {
+	payload := ts.createTestOAuth2Payload("allowlist-bad")
+	payload["custom_claims_allowlist"] = []string{"groups", ""}
+
+	w := ts.createProvider(payload, http.StatusBadRequest)
+
+	var apiErr apierrors.HTTPError
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&apiErr))
+	assert.Equal(ts.T(), apierrors.ErrorCodeValidationFailed, apiErr.ErrorCode)
+}
+
 // Test DELETE /admin/custom-providers/:id (Delete)
 
 func (ts *CustomOAuthAdminTestSuite) TestDeleteProvider() {

internal/api/external.go

@@ -743,6 +743,7 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 			customProvider.AcceptableClientIDs,
 			customProvider.AttributeMapping,
 			customProvider.AuthorizationParams,
+			customProvider.CustomClaimsAllowlist,
 		)
 
 		// Build provider configuration
@@ -776,6 +777,7 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 		customProvider.AcceptableClientIDs,
 		customProvider.AttributeMapping,
 		customProvider.AuthorizationParams,
+		customProvider.CustomClaimsAllowlist,
 		a.oidcCache,
 	)
 	if err != nil {

internal/api/provider/custom_oauth.go

@@ -12,12 +12,13 @@ import (
 
 // CustomOAuthProvider implements OAuthProvider for custom OAuth2 providers
 type CustomOAuthProvider struct {
-	config              *oauth2.Config
-	userinfoURL         string
-	pkceEnabled         bool
-	acceptableClientIDs []string
-	attributeMapping    map[string]interface{}
-	authorizationParams map[string]interface{}
+	config                *oauth2.Config
+	userinfoURL           string
+	pkceEnabled           bool
+	acceptableClientIDs   []string
+	attributeMapping      map[string]interface{}
+	authorizationParams   map[string]interface{}
+	customClaimsAllowlist []string
 }
 
 // NewCustomOAuthProvider creates a new custom OAuth provider
@@ -27,6 +28,7 @@ func NewCustomOAuthProvider(
 	pkceEnabled bool,
 	acceptableClientIDs []string,
 	attributeMapping, authorizationParams map[string]interface{},
+	customClaimsAllowlist []string,
 ) *CustomOAuthProvider {
 	config := &oauth2.Config{
 		ClientID:     clientID,
@@ -40,12 +42,13 @@ func NewCustomOAuthProvider(
 	}
 
 	return &CustomOAuthProvider{
-		config:              config,
-		userinfoURL:         userinfoURL,
-		pkceEnabled:         pkceEnabled,
-		acceptableClientIDs: acceptableClientIDs,
-		attributeMapping:    attributeMapping,
-		authorizationParams: authorizationParams,
+		config:                config,
+		userinfoURL:           userinfoURL,
+		pkceEnabled:           pkceEnabled,
+		acceptableClientIDs:   acceptableClientIDs,
+		attributeMapping:      attributeMapping,
+		authorizationParams:   authorizationParams,
+		customClaimsAllowlist: customClaimsAllowlist,
 	}
 }
 
@@ -68,11 +71,14 @@ func (p *CustomOAuthProvider) GetOAuthToken(ctx context.Context, code string, op
 
 // GetUserData fetches user data from the provider's userinfo endpoint
 func (p *CustomOAuthProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*UserProvidedData, error) {
-	var claims Claims
-	if err := makeRequest(ctx, tok, p.config, p.userinfoURL, &claims); err != nil {
+	claims, raw, err := fetchUserinfoClaims(ctx, tok, p.config, p.userinfoURL)
+	if err != nil {
 		return nil, err
 	}
 
+	// Capture allowlisted custom claims before attribute mapping
+	captureAllowedClaims(raw, p.customClaimsAllowlist, &claims)
+
 	// Apply attribute mapping if configured
 	if len(p.attributeMapping) > 0 {
 		claims = applyAttributeMapping(claims, p.attributeMapping)
@@ -101,13 +107,14 @@ func (p *CustomOAuthProvider) RequiresPKCE() bool {
 
 // CustomOIDCProvider implements OAuthProvider for custom OIDC providers
 type CustomOIDCProvider struct {
-	config              *oauth2.Config
-	oidcProvider        *oidc.Provider
-	userinfoEndpoint    string
-	pkceEnabled         bool
-	acceptableClientIDs []string
-	attributeMapping    map[string]interface{}
-	authorizationParams map[string]interface{}
+	config                *oauth2.Config
+	oidcProvider          *oidc.Provider
+	userinfoEndpoint      string
+	pkceEnabled           bool
+	acceptableClientIDs   []string
+	attributeMapping      map[string]interface{}
+	authorizationParams   map[string]interface{}
+	customClaimsAllowlist []string
 }
 
 // NewCustomOIDCProvider creates a new custom OIDC provider.
@@ -123,6 +130,7 @@ func NewCustomOIDCProvider(
 	pkceEnabled bool,
 	acceptableClientIDs []string,
 	attributeMapping, authorizationParams map[string]interface{},
+	customClaimsAllowlist []string,
 	cache *OIDCProviderCache,
 ) (*CustomOIDCProvider, error) {
 	// Ensure 'openid' scope is always present for OIDC
@@ -155,13 +163,14 @@ func NewCustomOIDCProvider(
 	}
 
 	return &CustomOIDCProvider{
-		config:              config,
-		oidcProvider:        oidcProvider,
-		userinfoEndpoint:    userinfoEndpoint,
-		pkceEnabled:         pkceEnabled,
-		acceptableClientIDs: acceptableClientIDs,
-		attributeMapping:    attributeMapping,
-		authorizationParams: authorizationParams,
+		config:                config,
+		oidcProvider:          oidcProvider,
+		userinfoEndpoint:      userinfoEndpoint,
+		pkceEnabled:           pkceEnabled,
+		acceptableClientIDs:   acceptableClientIDs,
+		attributeMapping:      attributeMapping,
+		authorizationParams:   authorizationParams,
+		customClaimsAllowlist: customClaimsAllowlist,
 	}, nil
 }
 
@@ -201,6 +210,17 @@ func (p *CustomOIDCProvider) GetUserData(ctx context.Context, tok *oauth2.Token)
 			return nil, err
 		}
 
+		// Capture allowlisted custom claims from the raw ID token before
+		// attribute mapping. Because we only copy explicitly listed keys, there
+		// is no risk of re-adding keys a parser intentionally stripped (e.g. Azure).
+		if len(p.customClaimsAllowlist) > 0 && userData.Metadata != nil {
+			var raw map[string]interface{}
+			if err := idTokenObj.Claims(&raw); err != nil {
+				return nil, fmt.Errorf("failed to read ID token claims: %w", err)
+			}
+			captureAllowedClaims(raw, p.customClaimsAllowlist, userData.Metadata)
+		}
+
 		// Apply attribute mapping to the metadata from ID token
 		if len(p.attributeMapping) > 0 && userData.Metadata != nil {
 			*userData.Metadata = applyAttributeMapping(*userData.Metadata, p.attributeMapping)
@@ -211,11 +231,14 @@ func (p *CustomOIDCProvider) GetUserData(ctx context.Context, tok *oauth2.Token)
 
 	// No ID token, use userinfo endpoint
 	if p.userinfoEndpoint != "" {
-		var claims Claims
-		if err := makeRequest(ctx, tok, p.config, p.userinfoEndpoint, &claims); err != nil {
+		claims, raw, err := fetchUserinfoClaims(ctx, tok, p.config, p.userinfoEndpoint)
+		if err != nil {
 			return nil, err
 		}
 
+		// Capture allowlisted custom claims before attribute mapping
+		captureAllowedClaims(raw, p.customClaimsAllowlist, &claims)
+
 		// Apply attribute mapping
 		if len(p.attributeMapping) > 0 {
 			claims = applyAttributeMapping(claims, p.attributeMapping)
@@ -268,6 +291,44 @@ func (p *CustomOIDCProvider) validateAudience(audiences []string) error {
 	return fmt.Errorf("token audience %v does not match any acceptable client ID", audiences)
 }
 
+// fetchUserinfoClaims fetches the userinfo response once and returns both the
+// typed Claims and the raw claim map. The raw map is needed so that arbitrary
+// allowlisted keys (which have no typed field) can be copied verbatim.
+func fetchUserinfoClaims(ctx context.Context, tok *oauth2.Token, config *oauth2.Config, url string) (Claims, map[string]interface{}, error) {
+	var raw map[string]interface{}
+	if err := makeRequest(ctx, tok, config, url, &raw); err != nil {
+		return Claims{}, nil, err
+	}
+
+	var claims Claims
+	b, err := json.Marshal(raw)
+	if err != nil {
+		return Claims{}, nil, err
+	}
+	if err := json.Unmarshal(b, &claims); err != nil {
+		return Claims{}, nil, err
+	}
+
+	return claims, raw, nil
+}
+
+// captureAllowedClaims copies each allowlisted key present in raw into
+// c.CustomClaims verbatim. An empty allowlist captures nothing (D1), and keys
+// absent from raw are silently skipped (no nil entry is created). Because only
+// explicitly listed keys are copied, protocol/registered claims never leak.
+func captureAllowedClaims(raw map[string]interface{}, allowlist []string, c *Claims) {
+	for _, key := range allowlist {
+		value, ok := raw[key]
+		if !ok {
+			continue
+		}
+		if c.CustomClaims == nil {
+			c.CustomClaims = make(map[string]interface{})
+		}
+		c.CustomClaims[key] = value
+	}
+}
+
 // applyAttributeMapping applies custom attribute mapping to claims
 func applyAttributeMapping(claims Claims, mapping map[string]interface{}) Claims {
 	// Create a map representation of claims for easier manipulation