Add per-provider enrich with userinfo endpoint setting

lib/Controller/LoginController.php

@@ -539,7 +539,13 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		}
 
 		// default is false
-		if (isset($oidcSystemConfig['enrich_login_id_token_with_userinfo']) && $oidcSystemConfig['enrich_login_id_token_with_userinfo']) {
+		$globalEnrichWithUserinfo = isset($oidcSystemConfig['enrich_login_id_token_with_userinfo']) && $oidcSystemConfig['enrich_login_id_token_with_userinfo'];
+		$providerEnrichWithUserinfo = $this->providerService->getSetting(
+			$provider->getId(),
+			ProviderService::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO,
+			'0'
+		) === '1';
+		if ($globalEnrichWithUserinfo || $providerEnrichWithUserinfo) {
 			$userInfo = $this->oidcService->userInfo($provider, $data['access_token']);
 			$this->logger->debug('[UserInfoEnrich] Enriching the JWT payload with userinfo values');
 			foreach ($userInfo as $key => $value) {

lib/ResponseDefinitions.php

@@ -46,6 +46,7 @@
  *     groupWhitelistRegex: string,
  *     restrictLoginToGroups: bool,
  *     nestedAndFallbackClaims: bool,
+ *     enrichLoginIdTokenWithUserinfo: bool,
  * }
  *
  * @psalm-type UserOIDCProvider = array{

lib/Service/ProviderService.php

@@ -61,6 +61,7 @@ class ProviderService {
 	public const SETTING_RESTRICT_LOGIN_TO_GROUPS = 'restrictLoginToGroups';
 	public const SETTING_AZURE_GROUP_NAMES = 'azureGroupNames';
 	public const SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING = 'nestedAndFallbackClaims';
+	public const SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO = 'enrichLoginIdTokenWithUserinfo';
 
 	public const BOOLEAN_SETTINGS_DEFAULT_VALUES = [
 		self::SETTING_GROUP_PROVISIONING => false,
@@ -72,6 +73,7 @@ class ProviderService {
 		self::SETTING_RESTRICT_LOGIN_TO_GROUPS => false,
 		self::SETTING_AZURE_GROUP_NAMES => false,
 		self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING => false,
+		self::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO => false,
 	];
 
 	public function __construct(
@@ -195,6 +197,7 @@ public function getSupportedSettings(): array {
 			self::SETTING_RESTRICT_LOGIN_TO_GROUPS,
 			self::SETTING_AZURE_GROUP_NAMES,
 			self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING,
+			self::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO,
 		];
 	}
 

openapi.json

@@ -124,7 +124,8 @@
                     "groupProvisioning",
                     "groupWhitelistRegex",
                     "restrictLoginToGroups",
-                    "nestedAndFallbackClaims"
+                    "nestedAndFallbackClaims",
+                    "enrichLoginIdTokenWithUserinfo"
                 ],
                 "properties": {
                     "mappingDisplayName": {
@@ -231,6 +232,9 @@
                     },
                     "nestedAndFallbackClaims": {
                         "type": "boolean"
+                    },
+                    "enrichLoginIdTokenWithUserinfo": {
+                        "type": "boolean"
                     }
                 }
             }

src/components/AdminSettings.vue

@@ -203,6 +203,7 @@ export default {
 					providerBasedId: false,
 					groupProvisioning: false,
 					sendIdTokenHint: true,
+					enrichLoginIdTokenWithUserinfo: false,
 				},
 			},
 			showNewProvider: false,

src/components/SettingsForm.vue

@@ -333,6 +333,14 @@
 		<p class="settings-hint">
 			{{ t('user_oidc', 'Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider.') }}
 		</p>
+		<NcCheckboxRadioSwitch
+			v-model="localProvider.settings.enrichLoginIdTokenWithUserinfo"
+			wrapper-element="div">
+			{{ t('user_oidc', 'Enrich login ID token with userinfo') }}
+		</NcCheckboxRadioSwitch>
+		<p class="settings-hint">
+			{{ t('user_oidc', 'Fetch additional information not found in the login ID token from the userinfo endpoint. This setting is overwritten if the global enrich_login_id_token_with_userinfo option is enabled.') }}
+		</p>
 		<div class="provider-edit--footer">
 			<NcButton @click="$emit('cancel-form')">
 				{{ t('user_oidc', 'Cancel') }}

tests/unit/Service/ProviderServiceTest.php

@@ -99,6 +99,7 @@ public function testGetProvidersWithSettings() {
 					'restrictLoginToGroups' => true,
 					'azureGroupNames' => true,
 					'nestedAndFallbackClaims' => true,
+					'enrichLoginIdTokenWithUserinfo' => true,
 				],
 			],
 			[
@@ -146,6 +147,7 @@ public function testGetProvidersWithSettings() {
 					'restrictLoginToGroups' => true,
 					'azureGroupNames' => true,
 					'nestedAndFallbackClaims' => true,
+					'enrichLoginIdTokenWithUserinfo' => true,
 				],
 			],
 		], $this->providerService->getProvidersWithSettings());
@@ -189,6 +191,7 @@ public function testSetSettings() {
 			'restrictLoginToGroups' => false,
 			'azureGroupNames' => false,
 			'nestedAndFallbackClaims' => false,
+			'enrichLoginIdTokenWithUserinfo' => false,
 		];
 		$this->appConfig->expects(self::any())
 			->method('getValueString')
@@ -229,6 +232,7 @@ public function testSetSettings() {
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_RESTRICT_LOGIN_TO_GROUPS, '', true, '0'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_AZURE_GROUP_NAMES, '', true, '0'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING, '', true, '0'],
+				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO, '', true, '0'],
 			]);
 
 		Assert::assertEquals(