fix: address CodeRabbit review feedback for OIDC support

- Add nil guards for OIDCOAuthConfig/OIDCProvider in both handlers to
  prevent nil pointer panic when OIDC is disabled
- Move AllowSignup check from start handler to CreateUser path so
  existing OIDC users can still log in when signup is disabled
- Require email_verified before authorizing or linking by email
- Add UserInfo endpoint fallback when ID token lacks optional claims
  (email, name, email_verified)
- Normalize BaseURL with TrimRight to prevent double-slash redirect URIs
- Add 30s timeout context for OIDC discovery at startup
- Enforce 'openid' scope is always present in configured scopes
- Add ScopesString field for reliable env var binding (matching existing
  ServicesString/AllowedOriginsString pattern)

Author: yaswanthkumar1995

api/v1/server/handlers/users/oidc_oauth_callback.go

@@ -21,6 +21,10 @@ import (
 
 // Note: we want all errors to redirect, otherwise the user will be greeted with raw JSON in the middle of the login flow.
 func (u *UserService) UserUpdateOidcOauthCallback(ctx echo.Context, _ gen.UserUpdateOidcOauthCallbackRequestObject) (gen.UserUpdateOidcOauthCallbackResponseObject, error) {
+	if u.config.Auth.OIDCOAuthConfig == nil || u.config.Auth.OIDCProvider == nil {
+		return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, nil, "OIDC authentication is not configured.")
+	}
+
 	isValid, _, err := authn.NewSessionHelpers(u.config.SessionStore).ValidateOAuthState(ctx, "oidc")
 
 	if err != nil || !isValid {
@@ -79,6 +83,10 @@ func (u *UserService) upsertOIDCUserFromToken(ctx context.Context, config *serve
 		return nil, err
 	}
 
+	if !claims.EmailVerified {
+		return nil, fmt.Errorf("OIDC provider did not verify the email address")
+	}
+
 	expiresAt := tok.Expiry
 
 	accessTokenEncrypted, err := config.Encryption.Encrypt([]byte(tok.AccessToken), "oidc_access_token")
@@ -118,6 +126,10 @@ func (u *UserService) upsertOIDCUserFromToken(ctx context.Context, config *serve
 			return nil, fmt.Errorf("failed to update user: %s", err.Error())
 		}
 	case pgx.ErrNoRows:
+		if !config.Runtime.AllowSignup {
+			return nil, fmt.Errorf("user signup is disabled")
+		}
+
 		user, err = u.config.V1.User().CreateUser(ctx, &v1.CreateUserOpts{
 			Email:         claims.Email,
 			EmailVerified: v1.BoolPtr(claims.EmailVerified),
@@ -162,6 +174,29 @@ func getOIDCClaimsFromToken(ctx context.Context, config *server.ServerConfig, to
 		return nil, fmt.Errorf("failed to parse ID token claims: %s", err.Error())
 	}
 
+	// Fall back to UserInfo endpoint when the ID token is missing optional claims.
+	// The OIDC spec does not require providers to include email/name in the ID token.
+	if claims.Email == "" || claims.Name == "" || !claims.EmailVerified {
+		userInfo, uiErr := config.Auth.OIDCProvider.UserInfo(ctx, oauth2.StaticTokenSource(tok))
+		if uiErr == nil {
+			uiClaims := &oidcClaims{}
+			if err := userInfo.Claims(uiClaims); err == nil {
+				if claims.Email == "" {
+					claims.Email = uiClaims.Email
+				}
+				if claims.Name == "" {
+					claims.Name = uiClaims.Name
+				}
+				if !claims.EmailVerified && uiClaims.EmailVerified {
+					claims.EmailVerified = true
+				}
+				if claims.Sub == "" {
+					claims.Sub = uiClaims.Sub
+				}
+			}
+		}
+	}
+
 	if claims.Email == "" {
 		return nil, fmt.Errorf("OIDC provider did not return an email claim")
 	}

api/v1/server/handlers/users/oidc_oauth_start.go

@@ -10,8 +10,8 @@ import (
 
 // Note: we want all errors to redirect, otherwise the user will be greeted with raw JSON in the middle of the login flow.
 func (u *UserService) UserUpdateOidcOauthStart(ctx echo.Context, _ gen.UserUpdateOidcOauthStartRequestObject) (gen.UserUpdateOidcOauthStartResponseObject, error) {
-	if !u.config.Runtime.AllowSignup {
-		return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, nil, "User signup is disabled.")
+	if u.config.Auth.OIDCOAuthConfig == nil {
+		return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, nil, "OIDC authentication is not configured.")
 	}
 
 	state, err := authn.NewSessionHelpers(u.config.SessionStore).SaveOAuthState(ctx, "oidc")

pkg/auth/oauth/configs.go

@@ -1,6 +1,8 @@
 package oauth
 
 import (
+	"strings"
+
 	"golang.org/x/oauth2"
 )
 
@@ -77,7 +79,7 @@ func NewOIDCClient(cfg *OIDCConfig) *oauth2.Config {
 			AuthURL:  cfg.AuthURL,
 			TokenURL: cfg.TokenURL,
 		},
-		RedirectURL: cfg.BaseURL + "/api/v1/users/oidc/callback",
+		RedirectURL: strings.TrimRight(cfg.BaseURL, "/") + "/api/v1/users/oidc/callback",
 		Scopes:      cfg.Scopes,
 	}
 }

pkg/config/loader/loader.go

@@ -634,7 +634,23 @@ func createControllerLayer(dc *database.Layer, cf *server.ServerConfigFile, vers
 			return nil, nil, fmt.Errorf("oidc issuer url is required")
 		}
 
-		oidcProvider, err := oidc.NewProvider(context.Background(), cf.Auth.OIDC.IssuerURL)
+		// Ensure "openid" scope is always present, since we rely on the ID token.
+		hasOpenID := false
+		for _, s := range cf.Auth.OIDC.Scopes {
+			if s == "openid" {
+				hasOpenID = true
+				break
+			}
+		}
+
+		if !hasOpenID {
+			cf.Auth.OIDC.Scopes = append([]string{"openid"}, cf.Auth.OIDC.Scopes...)
+		}
+
+		discoveryCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+
+		oidcProvider, err := oidc.NewProvider(discoveryCtx, cf.Auth.OIDC.IssuerURL)
 		if err != nil {
 			return nil, nil, fmt.Errorf("could not create OIDC provider from issuer URL %s: %w", cf.Auth.OIDC.IssuerURL, err)
 		}
@@ -804,6 +820,10 @@ func createControllerLayer(dc *database.Layer, cf *server.ServerConfigFile, vers
 		cf.Runtime.AllowedOrigins = getStrArr(cf.Runtime.AllowedOriginsString)
 	}
 
+	if cf.Auth.OIDC.ScopesString != "" {
+		cf.Auth.OIDC.Scopes = getStrArr(cf.Auth.OIDC.ScopesString)
+	}
+
 	if cf.Runtime.Monitoring.TLSRootCAFile == "" {
 		cf.Runtime.Monitoring.TLSRootCAFile = cf.TLS.TLSRootCAFile
 	}

pkg/config/server/server.go

@@ -505,6 +505,9 @@ type ConfigFileAuthOIDC struct {
 	ClientSecret string   `mapstructure:"clientSecret" json:"clientSecret,omitempty"`
 	IssuerURL    string   `mapstructure:"issuerURL" json:"issuerURL,omitempty"`
 	Scopes       []string `mapstructure:"scopes" json:"scopes,omitempty" default:"[\"openid\", \"profile\", \"email\"]"`
+	// ScopesString is used to bind the SERVER_AUTH_OIDC_SCOPES env var, since
+	// direct env-to-[]string binding is unreliable without a decode hook.
+	ScopesString string `mapstructure:"scopesString" json:"scopesString,omitempty"`
 }
 
 type ConfigFileAuthCookie struct {
@@ -858,6 +861,7 @@ func BindAllEnv(v *viper.Viper) {
 	_ = v.BindEnv("auth.oidc.clientSecret", "SERVER_AUTH_OIDC_CLIENT_SECRET")
 	_ = v.BindEnv("auth.oidc.issuerURL", "SERVER_AUTH_OIDC_ISSUER_URL")
 	_ = v.BindEnv("auth.oidc.scopes", "SERVER_AUTH_OIDC_SCOPES")
+	_ = v.BindEnv("auth.oidc.scopesString", "SERVER_AUTH_OIDC_SCOPES")
 
 	// task queue options
 	// legacy options