fix(sso): prefer UserInfo endpoint over ID token and map sub claim correctly (#8276)

himself65 · Copilot · himself65 · commit f88bcd746058 · 2026-03-03T18:28:54.000+09:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/packages/sso/src/oidc.test.ts b/packages/sso/src/oidc.test.ts
@@ -742,14 +742,14 @@ describe("provisioning", async (ctx) => {
 			headers,
 		});
 		const member = org?.members.find(
-			(m: any) => m.user.email === "sso-user@localhost:8000.com",
+			(m: any) => m.user.email === "test@localhost.com",
 		);
 		expect(member).toMatchObject({
 			role: "member",
 			user: {
 				id: expect.any(String),
-				name: "Test User",
-				email: "sso-user@localhost:8000.com",
+				name: "OAuth2 Test",
+				email: "test@localhost.com",
 				image: "https://test.com/picture.png",
 			},
 		});
@@ -1261,3 +1261,133 @@ describe("OIDC SSO with defaultSSO array", async () => {
 		);
 	});
 });
+
+/**
+ * @see https://github.com/better-auth/better-auth/issues/8269
+ */
+describe("SSO OIDC UserInfo endpoint sub claim mapping", async () => {
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
+			plugins: [sso(), organization()],
+		});
+
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: { customFetchImpl },
+	});
+
+	const userinfoHandler = (userInfoResponse: any) => {
+		userInfoResponse.body = {
+			sub: "userinfo-only-sub-id",
+			email: "userinfo-only@test.com",
+			name: "UserInfo Only User",
+			picture: "https://test.com/picture.png",
+			email_verified: true,
+		};
+		userInfoResponse.statusCode = 200;
+	};
+
+	// Strip the id_token from the token endpoint response to simulate providers
+	// that do not include user claims in the ID token (or return no ID token).
+	const beforeResponseHandler = (tokenEndpointResponse: any) => {
+		tokenEndpointResponse.body.id_token = undefined;
+	};
+
+	const tokenHandler = (token: any) => {
+		// Intentionally leave the token payload minimal — no email claim —
+		// so that the UserInfo endpoint path is exercised.
+	};
+
+	beforeAll(async () => {
+		await server.issuer.keys.generate("RS256");
+		server.service.removeAllListeners("beforeUserinfo");
+		server.service.removeAllListeners("beforeTokenSigning");
+		server.service.removeAllListeners("beforeResponse");
+		server.service.on("beforeUserinfo", userinfoHandler);
+		server.service.on("beforeTokenSigning", tokenHandler);
+		server.service.on("beforeResponse", beforeResponseHandler);
+		await server.start(8080, "localhost");
+	});
+
+	afterAll(async () => {
+		server.service.removeListener("beforeUserinfo", userinfoHandler);
+		server.service.removeListener("beforeTokenSigning", tokenHandler);
+		server.service.removeListener("beforeResponse", beforeResponseHandler);
+		await server.stop().catch(() => {});
+	});
+
+	async function simulateOAuthFlow(authUrl: string, headers: Headers) {
+		let location: string | null = null;
+		await betterFetch(authUrl, {
+			method: "GET",
+			redirect: "manual",
+			onError(context) {
+				location = context.response.headers.get("location");
+			},
+		});
+
+		if (!location) throw new Error("No redirect location found");
+		const newHeaders = new Headers();
+		let callbackURL = "";
+		await betterFetch(location, {
+			method: "GET",
+			customFetchImpl,
+			headers,
+			onError(context) {
+				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
+			},
+		});
+
+		return { callbackURL, headers: newHeaders };
+	}
+
+	it("should sign in successfully using sub claim from UserInfo endpoint when no ID token is returned", async () => {
+		const { headers } = await signInWithTestUser();
+		await auth.api.registerSSOProvider({
+			body: {
+				issuer: server.issuer.url!,
+				domain: "test.com",
+				providerId: "userinfo-sub-test",
+				oidcConfig: {
+					clientId: "test",
+					clientSecret: "test",
+					authorizationEndpoint: `${server.issuer.url}/authorize`,
+					tokenEndpoint: `${server.issuer.url}/token`,
+					jwksEndpoint: `${server.issuer.url}/jwks`,
+					userInfoEndpoint: `${server.issuer.url}/userinfo`,
+					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
+				},
+			},
+			headers,
+		});
+
+		const signInHeaders = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "user@test.com",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(signInHeaders),
+			},
+		});
+
+		const { callbackURL, headers: sessionHeaders } = await simulateOAuthFlow(
+			res.url,
+			signInHeaders,
+		);
+
+		// Should redirect to dashboard, not an error page
+		expect(callbackURL).toContain("/dashboard");
+		expect(callbackURL).not.toContain("error=invalid_provider");
+		expect(callbackURL).not.toContain("missing_user_info");
+
+		// Verify the session was created with the correct email from UserInfo
+		const session = await authClient.getSession({
+			fetchOptions: { headers: sessionHeaders },
+		});
+		expect(session.data?.user.email).toBe("userinfo-only@test.com");
+	});
+});
diff --git a/packages/sso/src/routes/sso.ts b/packages/sso/src/routes/sso.ts
@@ -1630,7 +1630,43 @@ async function handleOIDCCallback(
 		emailVerified?: boolean;
 		[key: string]: any;
 	} | null = null;
-	if (tokenResponse.idToken) {
+	const mapping = config.mapping || {};
+
+	if (config.userInfoEndpoint) {
+		const userInfoResponse = await betterFetch<Record<string, unknown>>(
+			config.userInfoEndpoint,
+			{
+				headers: {
+					Authorization: `Bearer ${tokenResponse.accessToken}`,
+				},
+			},
+		);
+		if (userInfoResponse.error) {
+			throw ctx.redirect(
+				`${errorURL || callbackURL}?error=invalid_provider&error_description=${
+					userInfoResponse.error.message
+				}`,
+			);
+		}
+		const rawUserInfo = userInfoResponse.data;
+		userInfo = {
+			...Object.fromEntries(
+				Object.entries(mapping.extraFields || {}).map(([key, value]) => [
+					key,
+					rawUserInfo[value],
+				]),
+			),
+			id: rawUserInfo[mapping.id || "sub"] as string | undefined,
+			email: rawUserInfo[mapping.email || "email"] as string | undefined,
+			emailVerified: options?.trustEmailVerified
+				? (rawUserInfo[mapping.emailVerified || "email_verified"] as
+						| boolean
+						| undefined)
+				: false,
+			name: rawUserInfo[mapping.name || "name"] as string | undefined,
+			image: rawUserInfo[mapping.image || "picture"] as string | undefined,
+		};
+	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
 		if (!config.jwksEndpoint) {
 			throw ctx.redirect(
@@ -1658,7 +1694,6 @@ async function handleOIDCCallback(
 			);
 		}
 
-		const mapping = config.mapping || {};
 		userInfo = {
 			...Object.fromEntries(
 				Object.entries(mapping.extraFields || {}).map(([key, value]) => [
@@ -1680,35 +1715,12 @@ async function handleOIDCCallback(
 			image?: string;
 			emailVerified?: boolean;
 		};
-	}
-
-	if (!userInfo) {
-		if (!config.userInfoEndpoint) {
-			throw ctx.redirect(
-				`${
-					errorURL || callbackURL
-				}?error=invalid_provider&error_description=user_info_endpoint_not_found`,
-			);
-		}
-		const userInfoResponse = await betterFetch<{
-			email?: string;
-			name?: string;
-			id?: string;
-			image?: string;
-			emailVerified?: boolean;
-		}>(config.userInfoEndpoint, {
-			headers: {
-				Authorization: `Bearer ${tokenResponse.accessToken}`,
-			},
-		});
-		if (userInfoResponse.error) {
-			throw ctx.redirect(
-				`${errorURL || callbackURL}?error=invalid_provider&error_description=${
-					userInfoResponse.error.message
-				}`,
-			);
-		}
-		userInfo = userInfoResponse.data;
+	} else {
+		throw ctx.redirect(
+			`${
+				errorURL || callbackURL
+			}?error=invalid_provider&error_description=user_info_endpoint_not_found`,
+		);
 	}
 
 	if (!userInfo.email || !userInfo.id) {
