authentik
authentik copied to clipboard
goauthentik
OAuth2/OpenID provider cannot overwrite sub with property mapping (user info endpoint?)
Describe the bug
Bit of background: For my Immich setup I am trying to have multiple SSO users share the same account. Since a few months, account linking in Immich is done on sub, breaking my setup. Linking used to be done on the user's email, which I had successfully overwritten for this specific application with a property mapping.
I believe Immich is fetching the userinfo endpoint to retrieve the sub: Immich - auth.service.ts
To Reproduce Steps to reproduce the behavior:
- Create Application provider
- Create OAuth property mapping (see screenshot below)
- Check preview in Provider settings => All seems ok
- Try authenticating with an application that fetches userinfo rather than checks ID Token => Original subject value will be used instead of overwritten value
Expected behavior
Overwrite sub correctly on both ID Token and user info endpoint
Screenshots
My property mapping:
During preview, the sub value is overwritten:
Version and Deployment (please complete the following information):
- authentik version: 2024.6.3
- Deployment: docker-compose
Additional context It seems to me that the ID token sub value may be overwritten, but not the userinfo endpoint. Can anyone confirm / fix? This issue was previously discussed: https://github.com/goauthentik/authentik/issues/6106 - Some code was pushed and the issue got closed, yet it doesn't seem to work still for my use-case.
Is the scope mapping selected in the oauth2 provider?
Yes it is, see my selected scopes below.
I believe also the preview (screenshot 2 in main post) would not compute with the mapping (sub field) if it were not selected.
Experiencing something similar where my custom property mapping doesn't even show up in the payload.
This works for me, but you must use a scope name that Immich actually requests. Scope name: openid works fine.
