diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex index 749740d..dbc62b2 100644 --- a/lib/accounts/user.ex +++ b/lib/accounts/user.ex @@ -54,6 +54,9 @@ defmodule Mv.Accounts.User do auth_method :client_secret_jwt code_verifier true + # Request email and profile scopes from OIDC provider (required for Authentik, Keycloak, etc.) + authorization_params scope: "openid email profile" + # id_token_signed_response_alg "EdDSA" #-> https://git.local-it.org/local-it/mitgliederverwaltung/issues/87 end @@ -69,7 +72,7 @@ defmodule Mv.Accounts.User do # Default actions for framework/tooling integration: # - :read -> Standard read used across the app and by admin tooling. # - :destroy-> Standard delete used by admin tooling and maintenance tasks. - # + # # NOTE: :create is INTENTIONALLY excluded from defaults! # Using a default :create would bypass email-synchronization logic. # Always use one of these explicit create actions instead: @@ -185,7 +188,9 @@ defmodule Mv.Accounts.User do oidc_user_info = Ash.Changeset.get_argument(changeset, :oidc_user_info) # Get the new email from OIDC user_info - new_email = Map.get(oidc_user_info, "preferred_username") + # Support both "email" (standard OIDC) and "preferred_username" (Rauthy) + new_email = + Map.get(oidc_user_info, "email") || Map.get(oidc_user_info, "preferred_username") changeset |> Ash.Changeset.change_attribute(:oidc_id, oidc_id) @@ -239,8 +244,11 @@ defmodule Mv.Accounts.User do change fn changeset, _ctx -> user_info = Ash.Changeset.get_argument(changeset, :user_info) + # Support both "email" (standard OIDC like Authentik, Keycloak) and "preferred_username" (Rauthy) + email = user_info["email"] || user_info["preferred_username"] + changeset - |> Ash.Changeset.change_attribute(:email, user_info["preferred_username"]) + |> Ash.Changeset.change_attribute(:email, email) |> Ash.Changeset.change_attribute(:oidc_id, user_info["sub"] || user_info["id"]) end