OpenID with line.biz - email in JWT , missing in userinfo

Hello,
in the last couple days I’m trying to figure out how OpenID works in conjunction with Line : https://developers.line.biz/en/reference/line-login/ , so I installed openid

The OpenID Connect discovery document for Line is found here:
https://access.line.me/.well-known/openid-configuration

I setup the openid profile and email scopes.

According to line.biz the email address is in the token. And everything looks ok so far when I look in my logs.
I got the email address in the JWT file extracted from the token
like:
OIDC Log: Verified JWT—
iss: https://access.line.me
sub: Uf3156a0081c563144b3
aud: ‘1657458025’
exp: 1662826967
iat: 1662823367
nonce: f5930aa4c2bd1b3807d
amr:

But after requesting https://api.line.me/oauth2/v2.1/userinfo
The email address isn’t included. only name and the sub UserId.

A look at the line documents under userinfo seems like this is correct. The userinfo doesn’t include the email.

So what could I do to extract the email address in the JWT response. ? I tried to use claims and maybe there is a way to get it that I’m missing? Or is that going to nowhere? . Makes me dizzy :slight_smile:

Thank you!

Edit:
I read on the OpenID Plugin Page: openid
If the discovery document includes a userinfo_endpoint parameter, then the plugin will use that to collect user metadata. If not, the plugin will extract metadata from the id_token (A JWT) supplied by the token endpoint.

So one solution would be to tell the plugin not using the userinfo endpoint? That would be great. But I could do that?

Ok, I got it. Maybe not the best solution but because the plugin is using the JWT data if the userinfo endpoint isn’t available, I forked the plugin on github and set in:

discourse-openid-connect/lib/omniauth_open_id_connect.rb

line 18 - option :use_userinfo, to false instead of true.

That’s it.

It would be nice to have an option in the settings of the plugin to choose between userinfo or JWT response.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.