feat: enhance OIDC support by validating UserInfo sub claim and parsing scopes from config

Author: yaswanthkumar1995

api/v1/server/handlers/users/oidc_oauth_callback.go

@@ -181,6 +181,10 @@ func getOIDCClaimsFromToken(ctx context.Context, config *server.ServerConfig, to
 		if uiErr == nil {
 			uiClaims := &oidcClaims{}
 			if err := userInfo.Claims(uiClaims); err == nil {
+				// Per OIDC spec, the UserInfo sub must match the ID token sub.
+				if uiClaims.Sub != "" && claims.Sub != "" && uiClaims.Sub != claims.Sub {
+					return nil, fmt.Errorf("OIDC UserInfo sub claim (%s) does not match ID token sub claim (%s)", uiClaims.Sub, claims.Sub)
+				}
 				if claims.Email == "" {
 					claims.Email = uiClaims.Email
 				}

pkg/config/loader/loader.go

@@ -622,6 +622,11 @@ func createControllerLayer(dc *database.Layer, cf *server.ServerConfigFile, vers
 	}
 
 	if cf.Auth.OIDC.Enabled {
+		// Parse ScopesString before building OIDCOAuthConfig so the env var is used.
+		if cf.Auth.OIDC.ScopesString != "" {
+			cf.Auth.OIDC.Scopes = getStrArr(cf.Auth.OIDC.ScopesString)
+		}
+
 		if cf.Auth.OIDC.ClientID == "" {
 			return nil, nil, fmt.Errorf("oidc client id is required")
 		}
@@ -820,10 +825,6 @@ func createControllerLayer(dc *database.Layer, cf *server.ServerConfigFile, vers
 		cf.Runtime.AllowedOrigins = getStrArr(cf.Runtime.AllowedOriginsString)
 	}
 
-	if cf.Auth.OIDC.ScopesString != "" {
-		cf.Auth.OIDC.Scopes = getStrArr(cf.Auth.OIDC.ScopesString)
-	}
-
 	if cf.Runtime.Monitoring.TLSRootCAFile == "" {
 		cf.Runtime.Monitoring.TLSRootCAFile = cf.TLS.TLSRootCAFile
 	}