In the .processProfile method, the OIDC strategy is attempting extracting the email address from the jwtClaims object. However, the request being sent to the openid provider is only adding the 'openid' scope. It does NOT add the 'email' or 'profile' claim to the scopes. My openid provider (Okta) does NOT put the email into the id token unless I request the 'email' scope. But the code above does not provide a way for a developer to add this scope to the request.
Note that the passport-openidconnect module, which is being used by wiki.js, does support adding the scope to the strategy options when the passport strategy is initialized. You can read that source code here, it's line 34.
This will allow developers to modify the scopes as required by their particular OIDC provider.
NOTE: For my personal use of wiki.js, I used the heroku deploy widget. That project has an install script which automagically downloads and installs the latest release of wiki.js from a tar.gz. So for users like me, it is necessary that this release is up to date.
I am using ver 1.0.102 and I can see that it has implemented Open ID Connect with the passport-openidconnect module.
Specifically, I'm reading lines 230 - 255 of the code here.
In the
.processProfile
method, the OIDC strategy is attempting extracting the email address from thejwtClaims
object. However, the request being sent to the openid provider is only adding the 'openid' scope. It does NOT add the 'email' or 'profile' claim to the scopes. My openid provider (Okta) does NOT put the email into the id token unless I request the 'email' scope. But the code above does not provide a way for a developer to add this scope to the request.Note that the passport-openidconnect module, which is being used by wiki.js, does support adding the scope to the strategy options when the passport strategy is initialized. You can read that source code here, it's line 34.
So I'm simply requesting that you change the code above in the [auth.js file] (https://github.com/Requarks/wiki/blob/73cd6af5b7b3338ff30e9466a8da9074cf9bbfad/server/libs/auth.js) to
And then the in the config.sample.yml file, set the default oidc object to
This will allow developers to modify the scopes as required by their particular OIDC provider.
NOTE: For my personal use of wiki.js, I used the heroku deploy widget. That project has an install script which automagically downloads and installs the latest release of wiki.js from a tar.gz. So for users like me, it is necessary that this release is up to date.