Userinfo endpoint discards JWT claims #849
Description
Hi,
In the userinfo.go implementation, when validating JWT access tokens, the getTokenIDAndSubject() function successfully verifies the token and extracts all claims, but then only returns the JWTID and Subject, discarding the rest:
func getTokenIDAndSubject(ctx context.Context, userinfoProvider UserinfoProvider, accessToken string) (string, string, bool) {
// ...
accessTokenClaims, err := VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, userinfoProvider.AccessTokenVerifier(ctx))
if err != nil {
return "", "", false
}
// All claims available here, but only JWTID and Subject are returned
return accessTokenClaims.JWTID, accessTokenClaims.Subject, true
}Then in the Userinfo() function, an empty oidc.UserInfo object is created and passed to the storage implementation:
func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoProvider) {
// ...
tokenID, subject, ok := getTokenIDAndSubject(r.Context(), userinfoProvider, accessToken)
// ...
info := new(oidc.UserInfo) // Empty UserInfo with no claims
err = userinfoProvider.Storage().SetUserinfoFromToken(r.Context(), info, tokenID, subject, r.Header.Get("origin"))
// ...
}This design makes it very difficult to implement Storage.SetUserinfoFromToken() for stateless JWT access tokens (tokens not stored in a database). The implementation has no access to:
- Scopes (needed to determine which claims to return)
- Client ID (needed for user data lookup and authorization)
- Custom claims embedded in the JWT
Instead of getTokenIDAndSubject(), use getTokenIDAndClaims() that preserves the verified claims and pre-populates the UserInfo object then it works well.
If this approach is incorrect, could you please explain the intended flow for implementing SetUserinfoFromToken() with stateless JWT tokens?