diff --git a/README.md b/README.md index 169d908f..eb786d1b 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ end | jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n" | | logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' | | acr_values | Authentication Class Reference(ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no | nil | "c1 c2" | +| call_userinfo_endpoint | Whether to call the userinfo endpoint | no | true | one of: true, false | ### Client Config Options diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index ebfaaa17..60d4485b 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -67,6 +67,7 @@ class OpenIDConnect # rubocop:disable Metrics/ClassLength }, code_challenge_method: 'S256', } + option :call_userinfo_endpoint, true option :logout_path, '/logout' @@ -258,10 +259,14 @@ def user_info if access_token.id_token decoded = decode_id_token(access_token.id_token).raw_attributes + merge_with = JSON::JWS.new({}) + merge_with = access_token.userinfo!.raw_attributes if options.call_userinfo_endpoint - @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded) - else + @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new merge_with.merge(decoded) + elsif options.call_userinfo_endpoint @user_info = access_token.userinfo! + else + @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new end end