Feature Request : Inclusion of OIDC Profile Claims in Cloudron Token

SDEInfo

Cloudron offers an OpenID Connect (OIDC) implementation for centralized authentication across applications. However, to seamlessly integrate with third-party systems like Pangolin, certain user profile claims must be included in the OIDC token issued by Cloudron. Currently, these claims are not consistently present, requiring the use of an additional identity provider (such as Keycloak) to bridge this gap.

Issue

To enable direct and secure login between Cloudron and Pangolin (or similar applications), the OIDC token must include the following claims:

• email: The user’s email address, used for identification and communication.
• sub: The unique user identifier (Subject Claim), essential for session management and unique identification.
• preferred_username: The user’s primary username, often required for display and authorization purposes.

Without these claims, integration with Pangolin is not possible without relying on an external solution, which complicates the architecture and increases maintenance costs.

Request

We request the automatic inclusion of the email, sub, and preferred_username claims in the OIDC token generated by Cloudron. These claims are standardized by the OIDC specification and widely supported by modern identity providers.

Expected Benefits

• Simplified Integration: Enable direct login with applications like Pangolin, without depending on Keycloak or other third-party solutions.
• Standards Compliance: Align Cloudron with OIDC best practices, improving interoperability with other tools.
• Unified User Experience: Reduce configuration steps for administrators and end users.

Suggested Implementation

• Add an option in Cloudron’s admin interface to enable/disable the inclusion of the email, sub, and preferred_username claims in the OIDC token.
• Allow the OIDC client to explicitly request the inclusion of these claims by using a specific parameter in the authentication request (e.g., by adding a scope or custom parameter such as scope=openid email profile).
• Implement a mechanism so that the token is only generated with these additional claims if the client explicitly requests them, for example by using a parameter in the "Signature Algorithm" field (e.g., RS256 + Profile).
• Ensure that the email, sub, and preferred_username claims are always present in the token when this option is enabled, unless explicitly disabled.
• Document this feature in the OIDC authentication section of the official documentation, specifying how clients should format their request to obtain these claims.

Use Case

A user or organization wishing to connect Cloudron to Pangolin (or a similar application) will be able to configure OIDC authentication without deploying an additional identity server, thereby reducing complexity and associated security risks.

joseph

I think all these are already pre-included by default - https://docs.cloudron.io/user-directory/#scopes-and-claims