diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs index 19c7e52de..d5ecf330e 100644 --- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs +++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs @@ -242,6 +242,16 @@ public sealed class AccountController : IdentityServerController if (isLoggedIn) { user = await userService.FindByLoginAsync(login.LoginProvider, login.ProviderKey, HttpContext.RequestAborted); + + if (user != null && identityOptions.OidcOverridePermissionsWithCustomClaimsOnLogin) + { + var values = new UserValues + { + CustomClaims = login.Principal.Claims.GetSquidexClaims().ToList() + }; + + user = await userService.UpdateAsync(user.Id, values, false, HttpContext.RequestAborted); + } } else { diff --git a/backend/src/Squidex/Config/MyIdentityOptions.cs b/backend/src/Squidex/Config/MyIdentityOptions.cs index c91ac29de..148e284dc 100644 --- a/backend/src/Squidex/Config/MyIdentityOptions.cs +++ b/backend/src/Squidex/Config/MyIdentityOptions.cs @@ -59,6 +59,8 @@ public sealed class MyIdentityOptions public bool OidcGetClaimsFromUserInfoEndpoint { get; set; } + public bool OidcOverridePermissionsWithCustomClaimsOnLogin { get; set; } + public bool AdminRecreate { get; set; } public bool AllowPasswordAuth { get; set; } diff --git a/backend/src/Squidex/appsettings.json b/backend/src/Squidex/appsettings.json index 89633af36..281dff641 100644 --- a/backend/src/Squidex/appsettings.json +++ b/backend/src/Squidex/appsettings.json @@ -599,6 +599,7 @@ ], "oidcResponseType": "id_token", // or "code" "oidcGetClaimsFromUserInfoEndpoint": false, + "oidcOverridePermissionsWithCustomClaimsOnLogin": false, "oidcOnSignoutRedirectUrl": "", // Lock new users automatically, the administrator must unlock them.