refactor(core)!: update user scopes

[gao-sun]

Summary

• expose original HttpError instead of showing 500
• make new directory anyway when user chooses not to load official connectors
• add scope / claim constants
• update ID Token and Userinfo Endpoint claims to reflect the new design

Testing

• UT
• proper claims returned in ID Token / Userinfo Endpoint

[linear]

LOG-4053 Core: Update Userinfo Endpoint

Current user info endpoint response:

{
    "sub":"SS3pNBWAgAoc",
    "id":"SS3pNBWAgAoc",
    "username":"foo",
    "primary_email":null,
    "primary_phone":null,
    "name":null,
    "avatar":null,
    "role_names":[
        "admin"
    ],
    "custom_data":{
        "adminConsolePreferences":{
            "language":"en",
            "appearanceMode":"dark"
        }
    },
    "identities":{
        "github":{
            "userId":"10594507",
            "details":{
                "id":"10594507",
                "name":"Foo",
                "email":"[email protected]",
                "avatar":"https://avatars.githubusercontent.com/u/10594507?v=4"
            }
        }
    },
    "last_sign_in_at":1661499869711,
    "application_id":"foo"
}

Update to

Add scope to claim mapping:

• profile → name, picture, username, role_names
• email → email, email_verified
• phone → phone_number, phone_number_verified
• custom_data → custom_data
• identities → identities

DO NOT include the following properties in claims (both user info endpoint response and ID token):

• id (i.e. same as sub)
• last_sign_in_at
• application_id

Map DB table properties to standard claims:

• avatar → picture
• primary_email → email
• primary_phone → phone_number

ID token claims:

sub: string; // user id
name?: string; // full name
username?: string;
picture?: string; // avatar
role_names?: string[]; // roles
email?: string; // primary_email
email_verified?: boolean; // if email exists, it will be true
phone_number?: string; // primary_phone
phone_number_verified?: boolean; // if phone_number exists, it will be true

• email, email_verified, phone_number, phone_number_verified will be only returned when the related scope is provided.
• Since custom_data and identities may be very large, they are not appropriate to be included in ID token.
  • Even though scope contains custom_data , identities, ID token will not contain them.

User info response claims:

sub: string; // user id
name?: string; // full name
username?: string;
picture?: string; // avatar
role_names?: string[]; // roles
email?: string; // primary_email
email_verified?: boolean; // if email exists, it will be true
phone_number?: string; // primary_phone
phone_number_verified?: boolean; // if phone_number exists, it will be true

// userinfo additional claims (not included in id token)
custom_data?: unknown;
identities?: unknown; // social identities: mask inner email property (safer)

/* Other properties from user DB table */
// id: string; // user id，same as sub, remove
// last_sign_in_at?: number; // timestamp with the timezone when the user signed in last time
// application_id?: string;// application the user first signed in to

---

Reference:

• https://linear.app/silverhand/issue/LOG-4008/determine-properties-used-in-type-userinforesponse
• https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
• https://www.iana.org/assignments/jwt/jwt.xhtml#claims

[github-actions]

COMPARE TO master

Total Size Diff 📈 +8.77 KB

Diff by File

Name	Diff
packages/console/src/App.tsx	📈 +73 Bytes
packages/console/src/components/AppContent/components/UserInfo/index.tsx	📈 +197 Bytes
packages/core/package.json	📈 +65 Bytes
packages/core/src/env-set/add-connectors.ts	📈 +68 Bytes
packages/core/src/middleware/koa-error-handler.test.ts	📈 +355 Bytes
packages/core/src/middleware/koa-error-handler.ts	📈 +137 Bytes
packages/core/src/oidc/init.ts	📈 +340 Bytes
packages/core/src/oidc/scope.test.ts	📈 +1.6 KB
packages/core/src/oidc/scope.ts	📈 +1.54 KB
packages/shared/src/index.ts	📈 +25 Bytes
packages/shared/src/scope.ts	📈 +2.45 KB
pnpm-lock.yaml	📈 +1.95 KB

[wangsijie]

LGTM

[xiaoyijun]

LGTM