From 613a5f2643a8b404098b0c28a10a03d8daa98869 Mon Sep 17 00:00:00 2001
From: Simon <s.thiessen@local-it.org>
Date: Wed, 3 Dec 2025 21:51:12 +0100
Subject: [PATCH 1/2] feat: support email scope to retrieve oidc info

---
 lib/accounts/user.ex | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index 749740d..3b7e80b 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -69,7 +69,7 @@ defmodule Mv.Accounts.User do
     # Default actions for framework/tooling integration:
     # - :read   -> Standard read used across the app and by admin tooling.
     # - :destroy-> Standard delete used by admin tooling and maintenance tasks.
-    # 
+    #
     # NOTE: :create is INTENTIONALLY excluded from defaults!
     #       Using a default :create would bypass email-synchronization logic.
     #       Always use one of these explicit create actions instead:
@@ -185,7 +185,9 @@ defmodule Mv.Accounts.User do
         oidc_user_info = Ash.Changeset.get_argument(changeset, :oidc_user_info)
 
         # Get the new email from OIDC user_info
-        new_email = Map.get(oidc_user_info, "preferred_username")
+        # Support both "email" (standard OIDC) and "preferred_username" (Rauthy)
+        new_email =
+          Map.get(oidc_user_info, "email") || Map.get(oidc_user_info, "preferred_username")
 
         changeset
         |> Ash.Changeset.change_attribute(:oidc_id, oidc_id)
@@ -239,8 +241,11 @@ defmodule Mv.Accounts.User do
       change fn changeset, _ctx ->
         user_info = Ash.Changeset.get_argument(changeset, :user_info)
 
+        # Support both "email" (standard OIDC like Authentik, Keycloak) and "preferred_username" (Rauthy)
+        email = user_info["email"] || user_info["preferred_username"]
+
         changeset
-        |> Ash.Changeset.change_attribute(:email, user_info["preferred_username"])
+        |> Ash.Changeset.change_attribute(:email, email)
         |> Ash.Changeset.change_attribute(:oidc_id, user_info["sub"] || user_info["id"])
       end
 

From 9cda832b82bf79307e65d293860f9ba5ad531e0b Mon Sep 17 00:00:00 2001
From: Simon <s.thiessen@local-it.org>
Date: Wed, 3 Dec 2025 22:02:23 +0100
Subject: [PATCH 2/2] fix: request scopes email and profile

---
 lib/accounts/user.ex | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index 3b7e80b..dbc62b2 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -54,6 +54,9 @@ defmodule Mv.Accounts.User do
         auth_method :client_secret_jwt
         code_verifier true
 
+        # Request email and profile scopes from OIDC provider (required for Authentik, Keycloak, etc.)
+        authorization_params scope: "openid email profile"
+
         # id_token_signed_response_alg "EdDSA" #-> https://git.local-it.org/local-it/mitgliederverwaltung/issues/87
       end