From 376ef2b846964e21cb7882fecdcddaec791ef8a8 Mon Sep 17 00:00:00 2001
From: Geoffrey Ragot <geoffrey.ragot@gmail.com>
Date: Mon, 7 Nov 2022 18:26:19 +0100
Subject: [PATCH] feat: fix missing email on claims

---
 pkg/oidc/authorize_callback.go |  9 +++++++--
 pkg/oidc/oidc_test.go          | 27 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/pkg/oidc/authorize_callback.go b/pkg/oidc/authorize_callback.go
index 8f25686..e4b3991 100644
--- a/pkg/oidc/authorize_callback.go
+++ b/pkg/oidc/authorize_callback.go
@@ -52,12 +52,17 @@ func authorizeCallbackHandler(
 			panic(err)
 		}
 
+		userInfos, err := rp.Userinfo(tokens.AccessToken, "Bearer", tokens.IDTokenClaims.GetSubject(), relyingParty)
+		if err != nil {
+			panic(err)
+		}
+
 		user, err := storage.FindUserBySubject(r.Context(), tokens.IDTokenClaims.GetSubject())
 		if err != nil {
 			user = &auth.User{
 				ID:      uuid.NewString(),
-				Subject: tokens.IDTokenClaims.GetSubject(),
-				Email:   tokens.IDTokenClaims.GetEmail(),
+				Subject: userInfos.GetSubject(),
+				Email:   userInfos.GetEmail(),
 			}
 			if err := storage.SaveUser(r.Context(), *user); err != nil {
 				panic(err)
diff --git a/pkg/oidc/oidc_test.go b/pkg/oidc/oidc_test.go
index 9410704..2849f61 100644
--- a/pkg/oidc/oidc_test.go
+++ b/pkg/oidc/oidc_test.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
@@ -33,6 +34,24 @@ func init() {
 	os.Setenv(op.OidcDevMode, "true")
 }
 
+type user struct {
+	*mockoidc.MockUser
+}
+
+func (u *user) Userinfo(scope []string) ([]byte, error) {
+	encoded, err := u.MockUser.Userinfo(scope)
+	if err != nil {
+		return nil, err
+	}
+
+	m := make(map[string]any)
+	if err := json.Unmarshal(encoded, &m); err != nil {
+		return nil, err
+	}
+	m["sub"] = u.Subject
+	return json.Marshal(m)
+}
+
 func withServer(t *testing.T, fn func(m *mockoidc.MockOIDC, storage *sqlstorage.Storage, provider op.OpenIDProvider)) {
 	// Create a mock OIDC server which will always return a default user
 	mockOIDC, err := mockoidc.Run()
@@ -116,6 +135,10 @@ func Test3LeggedFlow(t *testing.T) {
 		clientRelyingParty, err := rp.NewRelyingPartyOIDC(provider.Issuer(), client.Id, clear, client.RedirectURIs[0], []string{"openid", "email"})
 		require.NoError(t, err)
 
+		m.QueueUser(&user{
+			MockUser: mockoidc.DefaultUser(),
+		})
+
 		// Trigger an authentication request
 		authUrl := rp.AuthURL("", clientRelyingParty)
 		if testing.Verbose() {
@@ -145,6 +168,10 @@ func Test3LeggedFlow(t *testing.T) {
 			introspection, err := rs.Introspect(context.TODO(), resourceServer, tokens.AccessToken)
 			require.NoError(t, err)
 			require.True(t, introspection.IsActive())
+
+			user, err := storage.FindUser(context.TODO(), tokens.IDTokenClaims.GetSubject())
+			require.NoError(t, err)
+			require.NotEmpty(t, user.Email)
 		default:
 			require.Fail(t, "code was expected")
 		}