feat(auth): add env variable to force user-info usage instead of idtoken (#2711)

packages/auth/env.ts

@@ -39,6 +39,7 @@ export const env = createEnv({
           AUTH_OIDC_SCOPE_OVERWRITE: z.string().min(1).default("openid email profile groups"),
           AUTH_OIDC_GROUPS_ATTRIBUTE: z.string().default("groups"), // Is used in the signIn event to assign the correct groups, key is from object of decoded id_token
           AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: z.string().optional(),
+          AUTH_OIDC_FORCE_USERINFO: createBooleanSchema(false),
         }
       : {}),
     ...(authProviders.includes("ldap")

packages/auth/providers/oidc/oidc-provider.ts

@@ -22,6 +22,10 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
       redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc", "https"),
     },
   },
+  // idToken false forces the use of the userinfo endpoint
+  // Userinfo endpoint is required for authelia since v4.39
+  // See https://github.com/homarr-labs/homarr/issues/2635
+  idToken: !env.AUTH_OIDC_FORCE_USERINFO,
   profile(profile) {
     if (!profile.sub) {
       throw new Error(`OIDC provider did not return a sub property='${Object.keys(profile).join(",")}'`);

turbo.json

@@ -14,6 +14,7 @@
     "AUTH_OIDC_CLIENT_ID",
     "AUTH_OIDC_CLIENT_NAME",
     "AUTH_OIDC_CLIENT_SECRET",
+    "AUTH_OIDC_FORCE_USERINFO",
     "AUTH_OIDC_ISSUER",
     "AUTH_OIDC_SCOPE_OVERWRITE",
     "AUTH_OIDC_GROUPS_ATTRIBUTE",