Merge branch 'master' of github.com:Squidex/squidex

backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs

@@ -242,6 +242,16 @@ public sealed class AccountController : IdentityServerController
         if (isLoggedIn)
         {
             user = await userService.FindByLoginAsync(login.LoginProvider, login.ProviderKey, HttpContext.RequestAborted);
+
+            if (user != null && identityOptions.OidcOverridePermissionsWithCustomClaimsOnLogin)
+            {
+                var values = new UserValues
+                {
+                    CustomClaims = login.Principal.Claims.GetSquidexClaims().ToList()
+                };
+
+                user = await userService.UpdateAsync(user.Id, values, false, HttpContext.RequestAborted);
+            }
         }
         else
         {

backend/src/Squidex/Config/MyIdentityOptions.cs

@@ -59,6 +59,8 @@ public sealed class MyIdentityOptions
 
     public bool OidcGetClaimsFromUserInfoEndpoint { get; set; }
 
+    public bool OidcOverridePermissionsWithCustomClaimsOnLogin { get; set; }
+
     public bool AdminRecreate { get; set; }
 
     public bool AllowPasswordAuth { get; set; }

backend/src/Squidex/appsettings.json

@@ -599,6 +599,7 @@
         ],
         "oidcResponseType": "id_token", // or "code"
         "oidcGetClaimsFromUserInfoEndpoint": false,
+        "oidcOverridePermissionsWithCustomClaimsOnLogin": false,
         "oidcOnSignoutRedirectUrl": "",
 
         // Lock new users automatically, the administrator must unlock them.