Skip to content

[Security] Configured oidc_user_info.claim not used as userIdentifier in OidcUser object #58941

@bodendorfer-simplethings

Description

Symfony version(s) affected

>= 6.3

Description

The documentation states:

Following the OpenID Connect Specification, the sub claim is used as user identifier by default. To use another claim, specify it on the configuration

However when configuring the claim, it only affects the UserBadge, but not the resulting OidcUser object.
Contrary to the statement in the documentation, the value of the OidcUser::userIdentifier property is null and the OidcUser::getUserIdentifer method falls back to the sub claim.

How to reproduce

With the following firewall security config:

        main:
            pattern:    ^/
            access_token:
                token_handler:
                    oidc_user_info: 
                        base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
                        claim: preferred_username
            stateless:  true

preferred_username is not used as userIdentifier in the user object.

Possible Solution

In the class Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler, instead of

            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);

this

            return new UserBadge(
                $claims[$this->claim],
                new FallbackUserLoader(
                    function (string $userIdentifier) use ($claims) {
                        $claims['user_identifier'] = $claims[$this->claim];
                        $this->createUser($claims);
                    }
                ),
                $claims
            );

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions