[Security] Configured oidc_user_info.claim not used as userIdentifier in OidcUser object #58941
Description
Symfony version(s) affected
>= 6.3
Description
The documentation states:
Following the OpenID Connect Specification, the sub claim is used as user identifier by default. To use another claim, specify it on the configuration
However when configuring the claim, it only affects the UserBadge, but not the resulting OidcUser object.
Contrary to the statement in the documentation, the value of the OidcUser::userIdentifier property is null and the OidcUser::getUserIdentifer method falls back to the sub claim.
How to reproduce
With the following firewall security config:
main:
pattern: ^/
access_token:
token_handler:
oidc_user_info:
base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
claim: preferred_username
stateless: true
preferred_username is not used as userIdentifier in the user object.
Possible Solution
In the class Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler, instead of
return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
this
return new UserBadge(
$claims[$this->claim],
new FallbackUserLoader(
function (string $userIdentifier) use ($claims) {
$claims['user_identifier'] = $claims[$this->claim];
$this->createUser($claims);
}
),
$claims
);
Additional Context
No response