There might be situations where email is not provided at all (it is not mandatory), in that case it would be useful to default to the value of "sub" in the ID Token.

This would be a sensible improvement to make but is probably a fairly substantial change, gonna leave this as help-wanted for now and see if anyone picks it up. If not I might have some time in the not too distant future

So this appears to be working in the current version of oauth2_proxy. I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.

Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?

I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.

Can you tell me which provider you use?

Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?

I don't think we should be implementing case insensitivity when reading from IDTokens. OIDC tokens and userinfo endpoints encode data in JSON which is case sensitive. The OIDC Spec also lists the fields and their standard names that any provider should be using. I'd prefer not to have special logic for individual providers who are mis-implementing OIDC in the main codebase if possible.

@JoelSpeed It's an "internal" supposedly Open ID compliant system.

I asked the people responsible for the setup, and there wasn't necessarily a reason that they set it up that way, they just did (and apparently didn't understand the whole Open ID spec and weren't thinking)... I had them add the email key (lowercase) to get us in compliance.

I wouldn't be asking for anything from the IDTokens to be changed, I agree wholeheartedly that nothing should be touched there.

Email from the userinfo endpoint was the only field I was even suggesting be case insensitive, and I totally understand why you wouldn't want to do that.

That said, a method to override a keyname like email to something like eMail might add some flexibility for people like me who encounter brain dead corporate setups (though I understand that it would be a low priority).

I'm trying to use jetbrains hub and I'm getting the Error redeeming code during OAuth2 callback: unable to update session: id_token did not contain an email error.

I'm willing to do the work to get this fixed, I'm just not sure exactly what you all would be looking for here so some pointers would be cool.

Actually I found a work around by providing the --profile-url command line argument. For some reason I was assuming that there would be some auto configuration magic with .well-known/openid-configuration but whatever, I've got it working now ;)