feat: Add OAuth callback support for OIDC (#1290)

Closes #593, closes #690, closes #1289
2025-12-20 09:15:39 +03:00 · 2025-08-09 10:58:55 -06:00
parent b4f6e24442
commit cbb00d1d59
6 changed files with 31 additions and 15 deletions
--- a/server/api/helpers/users/get-or-create-one-with-oidc.js
+++ b/server/api/helpers/users/get-or-create-one-with-oidc.js
@@ -34,16 +34,29 @@ module.exports = {

    let tokenSet;
    try {
-      tokenSet = await client.callback(
-        sails.config.custom.oidcRedirectUri,
-        {
-          iss: sails.config.custom.oidcIssuer,
-          code: inputs.code,
-        },
-        {
-          nonce: inputs.nonce,
-        },
-      );
+      if (sails.config.custom.oidcUseOauthCallback) {
+        tokenSet = await client.oauthCallback(
+          sails.config.custom.oidcRedirectUri,
+          {
+            iss: sails.config.custom.oidcIssuer,
+            code: inputs.code,
+          },
+          {
+            nonce: inputs.nonce,
+          },
+        );
+      } else {
+        tokenSet = await client.callback(
+          sails.config.custom.oidcRedirectUri,
+          {
+            iss: sails.config.custom.oidcIssuer,
+            code: inputs.code,
+          },
+          {
+            nonce: inputs.nonce,
+          },
+        );
+      }
    } catch (error) {
      sails.log.warn(`Error while exchanging OIDC code: ${error}`);
      throw 'invalidCodeOrNonce';
@@ -93,7 +106,6 @@ module.exports = {
            if (configRoles.includes('*')) {
              return true;
            }
-
            return configRoles.some((configRole) => claimsRolesSet.has(configRole));
          },
        );
@@ -148,7 +160,7 @@ module.exports = {
      identityProviderUser = await IdentityProviderUser.qm.createOne({
        userId: user.id,
        issuer: sails.config.custom.oidcIssuer,
-        sub: claims.sub,
+        sub: claims.sub || `${user.id}@${sails.config.custom.oidcIssuer}`,
      });
    }