Allow not loading profile information from user info endpoint

9p4 · 9p4 · commit 0e897f922f78 · 2025-12-18T15:14:34.000-05:00
diff --git a/SSO-Auth/Api/SSOController.cs b/SSO-Auth/Api/SSOController.cs
@@ -114,6 +114,7 @@ public async Task<ActionResult> OidPost(
                 Scope = string.Join(" ", scopes.Prepend("openid profile")),
                 DisablePushedAuthorization = config.DisablePushedAuthorization,
                 LoggerFactory = _loggerFactory,
+                LoadProfile = !config.DoNotLoadProfile,
             };
             var oidEndpointUri = new Uri(config.OidEndpoint?.Trim());
             options.Policy.Discovery.AdditionalEndpointBaseAddresses.Add(oidEndpointUri.GetLeftPart(UriPartial.Authority));
@@ -340,6 +341,7 @@ public async Task<ActionResult> OidChallenge(string provider, [FromQuery] bool i
                 Scope = string.Join(" ", config.OidScopes.Prepend("openid profile")),
                 DisablePushedAuthorization = config.DisablePushedAuthorization,
                 LoggerFactory = _loggerFactory,
+                LoadProfile = !config.DoNotLoadProfile,
             };
             var oidEndpointUri = new Uri(config.OidEndpoint?.Trim());
             options.Policy.Discovery.AdditionalEndpointBaseAddresses.Add(oidEndpointUri.GetLeftPart(UriPartial.Authority));
diff --git a/SSO-Auth/Config/PluginConfiguration.cs b/SSO-Auth/Config/PluginConfiguration.cs
@@ -327,6 +327,11 @@ public SerializableDictionary<string, Guid> CanonicalLinks
     /// Gets or sets a value indicating whether the OpenID issuer name is validated.
     /// </summary>
     public bool DoNotValidateIssuerName { get; set; }
+
+    /// <summary>
+    /// Gets or sets a value indicating whether the UserInfo endpoint is used to get profile data.
+    /// </summary>
+    public bool DoNotLoadProfile { get; set; }
 }
 
 /// <summary>
diff --git a/SSO-Auth/Config/configPage.html b/SSO-Auth/Config/configPage.html
@@ -637,6 +637,23 @@ <h2 class="sectionTitle">SSO Settings:</h2>
                     <span>Do Not Validate OpenID Issuer Name (Insecure)</span>
                   </label>
                 </div>
+                <div
+                  class="checkboxContainer checkboxContainer-withDescription"
+                >
+                  <label>
+                    <input
+                      is="emby-checkbox"
+                      id="DoNotLoadProfile"
+                      name="DoNotLoadProfile"
+                      type="checkbox"
+                      class="sso-toggle"
+                    />
+                    <span>Do Not Load Profile Information</span>
+                  </label>
+                  <div class="fieldDescription checkboxFieldDescription">
+                    May be required for Cloudflare OpenID
+                  </div>
+                </div>
 
                 <div class="inputContainer">
                   <label class="inputLabel inputLabelUnfocused" for="RoleClaim"
