What do we use the profileURL for at the moment? IIRC it's used to try and find a claim if the ID Token doesn't contain the claim right?

Is there some way we can make a generic claim extraction that tries to get a claim and if not falls back to the profile URL? But do so in a way that the profile URL is called at most once 🤔 This is something I was thinking about for when we support any additional claim users want us to try and look up, we will need some logic like this I would imagine

If any claims are missing from the IDToken (email & potentiall groups in the future) -- OIDC provider attempts to get it from the profileURL here:

We are migrating this logic in the other providers to EnrichSessionState (a lot of them previously had it in GetEmailAddress). Makes sense to do the same in OIDC.

Also helps reduce the complexity of the logic where we try to figure out how findClaimsFromIDToken is called (since in the Bearer auth case the function is also used, we do not want call the profileURL, we take what we get)

Is there some way we can make a generic claim extraction that tries to get a claim and if not falls back to the profile URL? But do so in a way that the profile URL is called at most once 🤔 This is something I was thinking about for when we support any additional claim users want us to try and look up, we will need some logic like this I would imagine

Forgot to address this part: This is the benefit of moving the logic to EnrichSessionState, it is only called at the moment immediately after the initial Redeem method during initial sign in.

Hopefully #850 (comment) changes will be part of this issue.

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

This is done.