✨ Add Name and ObjectID claims for OIDC providers

Brawdunoir · Brawdunoir · commit 56eece361c3e · 2026-02-13T14:44:29.000+01:00
Signed-off-by: Yann Lacroix &lt;yann.lacroix@advans-group.com&gt;
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -725,11 +725,15 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
 		Email             string   `json:"email"`
 		Groups            []string `json:"groups,omitempty"`
 		PreferredUsername string   `json:"preferredUsername,omitempty"`
+		ObjectID          string   `json:"oid,omitempty"`
+		Name              string   `json:"name,omitempty"`
 	}{
 		User:              session.User,
 		Email:             session.Email,
 		Groups:            session.Groups,
 		PreferredUsername: session.PreferredUsername,
+		ObjectID:          session.ObjectID,
+		Name:              session.Name,
 	}
 
 	if err := json.NewEncoder(rw).Encode(userInfo); err != nil {
diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go
@@ -311,7 +311,9 @@ type OIDCOptions struct {
 	GroupsClaim string `yaml:"groupsClaim,omitempty"`
 	// UserIDClaim indicates which claim contains the user ID
 	// default set to 'email'
-	UserIDClaim string `yaml:"userIDClaim,omitempty"`
+	UserIDClaim  string `yaml:"userIDClaim,omitempty"`
+	NameClaim    string `yaml:"nameClaim,omitempty"`
+	ObjecIDClaim string `yaml:"objectIDClaim,omitempty"`
 	// AudienceClaim allows to define any claim that is verified against the client id
 	// By default `aud` claim is used for verification.
 	AudienceClaims []string `yaml:"audienceClaims,omitempty"`
diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go
@@ -23,6 +23,8 @@ type SessionState struct {
 
 	Nonce []byte `msgpack:"n,omitempty"`
 
+	ObjectID          string   `msgpack:"id,omitempty"`
+	Name              string   `msgpack:"name,omitempty"`
 	Email             string   `msgpack:"e,omitempty"`
 	User              string   `msgpack:"u,omitempty"`
 	Groups            []string `msgpack:"g,omitempty"`
@@ -108,7 +110,7 @@ func (s *SessionState) Age() time.Duration {
 
 // String constructs a summary of the session state
 func (s *SessionState) String() string {
-	o := fmt.Sprintf("Session{email:%s user:%s PreferredUsername:%s", s.Email, s.User, s.PreferredUsername)
+	o := fmt.Sprintf("Session{email:%s user:%s PreferredUsername:%s oid:%s name:%s", s.Email, s.User, s.PreferredUsername, s.ObjectID, s.Name)
 	if s.AccessToken != "" {
 		o += " token:true"
 	}
@@ -135,6 +137,10 @@ func (s *SessionState) GetClaim(claim string) []string {
 		return []string{}
 	}
 	switch claim {
+	case "name":
+		return []string{s.Name}
+	case "oid":
+		return []string{s.ObjectID}
 	case "access_token":
 		return []string{s.AccessToken}
 	case "id_token":
diff --git a/providers/oidc.go b/providers/oidc.go
@@ -196,6 +196,8 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
 		s.User = newSession.User
 		s.Groups = newSession.Groups
 		s.PreferredUsername = newSession.PreferredUsername
+		s.Name = newSession.Name
+		s.ObjectID = newSession.ObjectID
 	}
 
 	s.AccessToken = newSession.AccessToken
diff --git a/providers/provider_data.go b/providers/provider_data.go
@@ -46,6 +46,8 @@ type ProviderData struct {
 
 	// Common OIDC options for any OIDC-based providers to consume
 	AllowUnverifiedEmail     bool
+	ObjectIDClaim            string
+	NameClaim                string
 	UserClaim                string
 	EmailClaim               string
 	GroupsClaim              string
@@ -260,6 +262,8 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (*
 		{p.UserClaim, &ss.User},
 		{p.EmailClaim, &ss.Email},
 		{p.GroupsClaim, &ss.Groups},
+		{p.ObjectIDClaim, &ss.ObjectID},
+		{p.NameClaim, &ss.Name},
 		// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
 		{"preferred_username", &ss.PreferredUsername},
 	} {
diff --git a/providers/providers.go b/providers/providers.go
@@ -147,6 +147,8 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 	p.AllowUnverifiedEmail = ptr.Deref(providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail, options.DefaultInsecureAllowUnverifiedEmail)
 	p.EmailClaim = providerConfig.OIDCConfig.EmailClaim
 	p.GroupsClaim = providerConfig.OIDCConfig.GroupsClaim
+	p.ObjectIDClaim = providerConfig.OIDCConfig.ObjecIDClaim
+	p.NameClaim = providerConfig.OIDCConfig.NameClaim
 	p.SkipClaimsFromProfileURL = ptr.Deref(providerConfig.SkipClaimsFromProfileURL, options.DefaultSkipClaimsFromProfileURL)
 
 	// Set PKCE enabled or disabled based on discovery and force options

Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,8 @@ func (p OIDCProvider) redeemRefreshToken(ctx context.Context, s sessions.Sessi`
`196`	`196`	`s.User = newSession.User`
`197`	`197`	`s.Groups = newSession.Groups`
`198`	`198`	`s.PreferredUsername = newSession.PreferredUsername`
	`199`	`+ s.Name = newSession.Name`
	`200`	`+ s.ObjectID = newSession.ObjectID`
`199`	`201`	`}`
`200`	`202`
`201`	`203`	`s.AccessToken = newSession.AccessToken`