From that link:
Note that the e-mail address may not be returned in an
name
claim.
That is indeed what we’re seeing - so it sounds like AD does not quite comply with the openid-connect specification . If you can manage to configure AD to return it in the email claim, that would be the best solution. However, it looks like even microsoft’s own ruby implementation hacks around the problem:
You could try https://github.com/discourse/discourse-azure-ad instead (which uses https://github.com/KonaTeam/omniauth-azure-oauth2 under the covers)
If you really want to use the openid-connect plugin, you could write another plugin to ‘trick’ our openid-connect plugin into using the upn
for the email address. Note that this would not be a ‘supported’ configuration, but if you have some ruby experience you could do something like this (not tested):
after_initialize do
module SwapNameEmail
def after_authenticate(auth_token, existing_account: nil)
auth_token[:info][:email] = auth_token[:extra][:raw_info][:upn]
super
end
end
::OpenIDConnectAuthenticator.class_eval do
prepend SwapNameEmail
end
end