OpenID with line.biz - email in JWT , missing in userinfo

Hello,
in the last couple days I’m trying to figure out how OpenID works in conjunction with Line : https://developers.line.biz/en/reference/line-login/ , so I installed openid

The OpenID Connect discovery document for Line is found here:
https://access.line.me/.well-known/openid-configuration

I setup the openid profile and email scopes.

According to line.biz the email address is in the token. And everything looks ok so far when I look in my logs.
I got the email address in the JWT file extracted from the token
like:
OIDC Log: Verified JWT—
iss: https://access.line.me
sub: Uf3156a0081c563144b3
aud: ‘1657458025’
exp: 1662826967
iat: 1662823367
nonce: f5930aa4c2bd1b3807d
amr:

But after requesting https://api.line.me/oauth2/v2.1/userinfo
The email address isn’t included. only name and the sub UserId.

A look at the line documents under userinfo seems like this is correct. The userinfo doesn’t include the email.

So what could I do to extract the email address in the JWT response. ? I tried to use claims and maybe there is a way to get it that I’m missing? Or is that going to nowhere? . Makes me dizzy :slight_smile:

Thank you!

Edit:
I read on the OpenID Plugin Page: openid
If the discovery document includes a userinfo_endpoint parameter, then the plugin will use that to collect user metadata. If not, the plugin will extract metadata from the id_token (A JWT) supplied by the token endpoint.

So one solution would be to tell the plugin not using the userinfo endpoint? That would be great. But I could do that?

Ok, I got it. Maybe not the best solution but because the plugin is using the JWT data if the userinfo endpoint isn’t available, I forked the plugin on github and set in:

discourse-openid-connect/lib/omniauth_open_id_connect.rb

line 18 - option :use_userinfo, to false instead of true.

That’s it.

It would be nice to have an option in the settings of the plugin to choose between userinfo or JWT response.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.