@flink-app/oidc-plugin 2.0.0-alpha.89 → 2.0.0-alpha.91

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @flink-app/oidc-plugin
 
+## 2.0.0-alpha.91
+
+### Minor Changes
+
+-   1bdbc82: feat(oidc-plugin): add per-provider `useUserInfoEndpoint` config flag (default `true`) to disable UserInfo calls for IdPs where the endpoint is unreliable or redundant with ID token claims
+
+### Patch Changes
+
+-   @flink-app/flink@2.0.0-alpha.91
+-   @flink-app/jwt-auth-plugin@2.0.0-alpha.91
+
+## 2.0.0-alpha.90
+
+### Patch Changes
+
+-   e18a37b: Add raw IdP response trace logs and prune redundant debug logs
+-   Updated dependencies [0d84b5f]
+    -   @flink-app/flink@2.0.0-alpha.90
+    -   @flink-app/jwt-auth-plugin@2.0.0-alpha.90
+
 ## 2.0.0-alpha.89
 
 ### Patch Changes

package/README.md

@@ -203,6 +203,26 @@ await app.start();
 }
 ```
 
+#### Disabling the UserInfo endpoint
+
+By default, the plugin calls the UserInfo endpoint after token exchange to
+enrich the profile with additional claims. Some IdPs either don't expose
+extra claims beyond the ID token or return unreliable 5xx errors from
+UserInfo. In those cases, set `useUserInfoEndpoint: false` on the provider
+config to skip the UserInfo call entirely and build profiles from ID token
+claims only:
+
+```typescript
+{
+  issuer: "https://idp.acme.com",
+  clientId: "your-client-id",
+  clientSecret: "your-client-secret",
+  callbackUrl: "https://myapp.com/oidc/acme/callback",
+  discoveryUrl: "https://idp.acme.com/.well-known/openid-configuration",
+  useUserInfoEndpoint: false, // skip UserInfo; use ID token claims only
+}
+```
+
 ### Callback Functions
 
 #### onAuthSuccess
@@ -619,6 +639,7 @@ interface OidcProviderConfigDB {
     authorizationEndpoint?: string;
     tokenEndpoint?: string;
     userinfoEndpoint?: string;
+    useUserInfoEndpoint?: boolean; // default true
     jwksUri?: string;
     scope: string[];
     createdAt: Date;

package/dist/OidcProviderConfig.d.ts

@@ -84,5 +84,14 @@ export interface OidcProviderConfig {
      * e.g., { "department": "custom:department", "role": "custom:role" }
      */
     claimMapping?: Record<string, string>;
+    /**
+     * Whether to fetch additional claims from the UserInfo endpoint.
+     * Default: true
+     *
+     * Set to `false` for IdPs whose UserInfo endpoint is unreliable or
+     * returns no additional data beyond what's already in the ID token.
+     * When disabled, profiles are built from ID token claims only.
+     */
+    useUserInfoEndpoint?: boolean;
 }
 //# sourceMappingURL=OidcProviderConfig.d.ts.map

package/dist/OidcProviderConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,MAAM,CAAC;IAEhF;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC"}
+{"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,MAAM,CAAC;IAEhF;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEtC;;;;;;;OAOG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CACjC"}

package/dist/handlers/CallbackOidc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CallbackOidc.d.ts","sourceRoot":"","sources":["../../src/handlers/CallbackOidc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAc,UAAU,EAAwC,MAAM,kBAAkB,CAAC;AAC5G,OAAO,eAAe,MAAM,4BAA4B,CAAC;AAOzD;;GAEG;AACH,UAAU,UAAU;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,UAGnB,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,YAAY,EAAE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,CAiRnE,CAAC;AAEF,eAAe,YAAY,CAAC"}
+{"version":3,"file":"CallbackOidc.d.ts","sourceRoot":"","sources":["../../src/handlers/CallbackOidc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAc,UAAU,EAAwC,MAAM,kBAAkB,CAAC;AAC5G,OAAO,eAAe,MAAM,4BAA4B,CAAC;AAOzD;;GAEG;AACH,UAAU,UAAU;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,UAGnB,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,YAAY,EAAE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,CA4QnE,CAAC;AAEF,eAAe,YAAY,CAAC"}

package/dist/handlers/CallbackOidc.js

@@ -114,7 +114,6 @@ const CallbackOidc = async ({ ctx, req }) => {
         }
         const oidcProvider = await providerRegistry.getProvider(provider);
         // Exchange authorization code for tokens with PKCE validation
-        log_1.oidcLog.debug(`Callback: exchanging authorization code for tokens`);
         const tokenSet = await oidcProvider.exchangeCodeForToken({
             code,
             codeVerifier: session.codeVerifier,
@@ -122,12 +121,10 @@ const CallbackOidc = async ({ ctx, req }) => {
             nonce: session.nonce,
         });
         log_1.oidcLog.debug(`Callback: token exchange successful`, `sub="${tokenSet.claims.sub}"`, `iss="${tokenSet.claims.iss}"`, `email="${tokenSet.claims.email || "(none)"}"`, `hasRefreshToken=${!!tokenSet.refreshToken}`, `expiresIn=${tokenSet.expiresIn ?? "(none)"}s`);
-        // Build user profile from ID token and UserInfo
-        log_1.oidcLog.debug(`Callback: building user profile`);
-        const profile = await oidcProvider.buildProfile(tokenSet, true);
+        // Build user profile from ID token and (optionally) UserInfo
+        const profile = await oidcProvider.buildProfile(tokenSet, oidcProvider.config.useUserInfoEndpoint ?? true);
         log_1.oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
         // Call onAuthSuccess callback to create/link user and generate JWT token
-        log_1.oidcLog.debug(`Callback: calling onAuthSuccess`);
         const authSuccessParams = {
             profile,
             claims: tokenSet.claims,
@@ -164,7 +161,6 @@ const CallbackOidc = async ({ ctx, req }) => {
             }
             return (0, flink_1.internalServerError)("Authentication failed. Please try again.");
         }
-        log_1.oidcLog.debug(`Callback: onAuthSuccess completed`);
         // Extract user and JWT token from callback result
         const { user, token, redirectUrl } = authResult;
         if (!token) {

package/dist/providers/OidcProvider.d.ts

@@ -14,7 +14,7 @@ import OidcTokenSet from "../schemas/OidcTokenSet";
  * - Claims mapping to profile
  */
 export declare class OidcProvider {
-    private config;
+    readonly config: OidcProviderConfig;
     private issuer;
     private client;
     private initialized;

package/dist/providers/OidcProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAkEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAsC/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAajE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAiCjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
+{"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,SAAgB,MAAM,EAAE,kBAAkB,CAAC;IAC3C,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAoD/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAsBjE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}

package/dist/providers/OidcProvider.js

@@ -41,6 +41,7 @@ class OidcProvider {
                 log_1.oidcLog.debug(`Provider "${this.config.issuer}": discovering from ${this.config.discoveryUrl}`);
                 this.issuer = await openid_client_1.Issuer.discover(this.config.discoveryUrl);
                 log_1.oidcLog.debug(`Provider "${this.config.issuer}": discovery complete`, `authorization_endpoint=${this.issuer.metadata.authorization_endpoint}`, `token_endpoint=${this.issuer.metadata.token_endpoint}`, `userinfo_endpoint=${this.issuer.metadata.userinfo_endpoint ?? "(none)"}`, `jwks_uri=${this.issuer.metadata.jwks_uri}`);
+                log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw discovery metadata from ${this.config.discoveryUrl}`, this.issuer.metadata);
             }
             // Option 2: Manual configuration
             else {
@@ -120,6 +121,10 @@ class OidcProvider {
                 state: params.state,
                 nonce: params.nonce,
             });
+            // Raw response from the token endpoint (includes access_token, id_token,
+            // refresh_token, token_type, expires_at, scope, and any non-standard fields
+            // returned by the IdP). Trace-level because it contains secrets.
+            log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw token endpoint response`, { ...tokenSet });
             // Extract claims from ID token (already validated by openid-client)
             const claims = tokenSet.claims();
             log_1.oidcLog.trace(`Provider "${this.config.issuer}": extracted claims from ID token`, claims);
@@ -134,6 +139,15 @@ class OidcProvider {
             };
         }
         catch (error) {
+            // openid-client attaches the raw IdP error response on OPError.
+            log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw token exchange error`, {
+                name: error.name,
+                message: error.message,
+                error: error.error,
+                error_description: error.error_description,
+                error_uri: error.error_uri,
+                response: error.response?.body ?? error.response,
+            });
             throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.TOKEN_EXCHANGE_FAILED, `Token exchange failed: ${error.message}`, {
                 originalError: error.message,
                 errorCode: error.error,
@@ -153,9 +167,18 @@ class OidcProvider {
         await this.ensureInitialized();
         try {
             const userinfo = await this.client.userinfo(accessToken);
+            // Raw response from the UserInfo endpoint, before any mapping/merging.
+            log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo endpoint response`, userinfo);
             return userinfo;
         }
         catch (error) {
+            log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo error`, {
+                name: error.name,
+                message: error.message,
+                error: error.error,
+                error_description: error.error_description,
+                response: error.response?.body ?? error.response,
+            });
             throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.USERINFO_FAILED, `UserInfo request failed: ${error.message}`, {
                 originalError: error.message,
             });
@@ -181,7 +204,6 @@ class OidcProvider {
                 const userinfo = await this.getUserInfo(tokenSet.accessToken);
                 // Merge UserInfo claims with ID token claims
                 claims = { ...claims, ...userinfo };
-                log_1.oidcLog.trace(`Provider "${this.config.issuer}": merged claims after UserInfo`, claims);
             }
             catch (error) {
                 // UserInfo is optional - continue with ID token claims only

package/dist/providers/ProviderRegistry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAI3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAAyE;IAChG,OAAO,CAAC,GAAG,CAAM;gBAGb,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,EACvF,GAAG,CAAC,EAAE,GAAG;IAOb;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAiD9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}
+{"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAI3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAAyE;IAChG,OAAO,CAAC,GAAG,CAAM;gBAGb,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,EACvF,GAAG,CAAC,EAAE,GAAG;IAOb;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IA+C9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}

package/dist/providers/ProviderRegistry.js

@@ -59,10 +59,8 @@ class ProviderRegistry {
         }
         log_1.oidcLog.debug(`Provider "${providerName}" resolved via ${configSource}:`, `issuer=${config.issuer}`, `clientId=${config.clientId}`, `clientSecret=${(0, log_1.maskSecret)(config.clientSecret)}`, `callbackUrl=${config.callbackUrl}`, config.discoveryUrl ? `discoveryUrl=${config.discoveryUrl}` : `authorizationEndpoint=${config.authorizationEndpoint}`, `scope=${(config.scope || ["openid", "email", "profile"]).join(" ")}`);
         // Create and initialize provider
-        log_1.oidcLog.debug(`Provider "${providerName}": initializing OIDC client`);
         const provider = new OidcProvider_1.OidcProvider(config);
         await provider.initialize();
-        log_1.oidcLog.debug(`Provider "${providerName}": initialized successfully`);
         // Cache the instance
         this.providerInstances.set(providerName, provider);
         return provider;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flink-app/oidc-plugin",
-  "version": "2.0.0-alpha.89",
+  "version": "2.0.0-alpha.91",
   "description": "Flink plugin for OIDC authentication with generic IdP support",
   "author": "joel@frost.se",
   "license": "MIT",
@@ -11,10 +11,10 @@
   },
   "dependencies": {
     "openid-client": "^5.7.0",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.89"
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.91"
   },
   "peerDependencies": {
-    "@flink-app/flink": ">=2.0.0-alpha.89",
+    "@flink-app/flink": ">=2.0.0-alpha.91",
     "mongodb": "^6.15.0"
   },
   "peerDependenciesMeta": {
@@ -27,9 +27,9 @@
     "@types/node": "22.13.10",
     "ts-node": "^10.9.2",
     "tsc-watch": "^4.2.9",
-    "@flink-app/flink": "2.0.0-alpha.89",
-    "@flink-app/test-utils": "2.0.0-alpha.89",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.89"
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.91",
+    "@flink-app/test-utils": "2.0.0-alpha.91",
+    "@flink-app/flink": "2.0.0-alpha.91"
   },
   "scripts": {
     "test": "jasmine-ts --config=./spec/support/jasmine.json",

package/src/OidcProviderConfig.ts

@@ -96,4 +96,14 @@ export interface OidcProviderConfig {
      * e.g., { "department": "custom:department", "role": "custom:role" }
      */
     claimMapping?: Record<string, string>;
+
+    /**
+     * Whether to fetch additional claims from the UserInfo endpoint.
+     * Default: true
+     *
+     * Set to `false` for IdPs whose UserInfo endpoint is unreliable or
+     * returns no additional data beyond what's already in the ID token.
+     * When disabled, profiles are built from ID token claims only.
+     */
+    useUserInfoEndpoint?: boolean;
 }

package/src/handlers/CallbackOidc.ts

@@ -142,7 +142,6 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
         const oidcProvider = await providerRegistry.getProvider(provider);
 
         // Exchange authorization code for tokens with PKCE validation
-        oidcLog.debug(`Callback: exchanging authorization code for tokens`);
         const tokenSet = await oidcProvider.exchangeCodeForToken({
             code,
             codeVerifier: session.codeVerifier,
@@ -159,13 +158,11 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
             `expiresIn=${tokenSet.expiresIn ?? "(none)"}s`
         );
 
-        // Build user profile from ID token and UserInfo
-        oidcLog.debug(`Callback: building user profile`);
-        const profile = await oidcProvider.buildProfile(tokenSet, true);
+        // Build user profile from ID token and (optionally) UserInfo
+        const profile = await oidcProvider.buildProfile(tokenSet, oidcProvider.config.useUserInfoEndpoint ?? true);
         oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
 
         // Call onAuthSuccess callback to create/link user and generate JWT token
-        oidcLog.debug(`Callback: calling onAuthSuccess`);
         const authSuccessParams = {
             profile,
             claims: tokenSet.claims,
@@ -207,8 +204,6 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
             return internalServerError("Authentication failed. Please try again.");
         }
 
-        oidcLog.debug(`Callback: onAuthSuccess completed`);
-
         // Extract user and JWT token from callback result
         const { user, token, redirectUrl } = authResult;
 

package/src/providers/OidcProvider.ts

@@ -18,7 +18,7 @@ import { oidcLog } from "../log";
  * - Claims mapping to profile
  */
 export class OidcProvider {
-    private config: OidcProviderConfig;
+    public readonly config: OidcProviderConfig;
     private issuer: Issuer<Client> | null = null;
     private client: Client | null = null;
     private initialized: boolean = false;
@@ -52,6 +52,10 @@ export class OidcProvider {
                     `userinfo_endpoint=${this.issuer.metadata.userinfo_endpoint ?? "(none)"}`,
                     `jwks_uri=${this.issuer.metadata.jwks_uri}`
                 );
+                oidcLog.trace(
+                    `Provider "${this.config.issuer}": raw discovery metadata from ${this.config.discoveryUrl}`,
+                    this.issuer.metadata
+                );
             }
             // Option 2: Manual configuration
             else {
@@ -149,6 +153,11 @@ export class OidcProvider {
                 }
             );
 
+            // Raw response from the token endpoint (includes access_token, id_token,
+            // refresh_token, token_type, expires_at, scope, and any non-standard fields
+            // returned by the IdP). Trace-level because it contains secrets.
+            oidcLog.trace(`Provider "${this.config.issuer}": raw token endpoint response`, { ...tokenSet });
+
             // Extract claims from ID token (already validated by openid-client)
             const claims = tokenSet.claims();
             oidcLog.trace(`Provider "${this.config.issuer}": extracted claims from ID token`, claims);
@@ -163,6 +172,15 @@ export class OidcProvider {
                 claims,
             };
         } catch (error: any) {
+            // openid-client attaches the raw IdP error response on OPError.
+            oidcLog.trace(`Provider "${this.config.issuer}": raw token exchange error`, {
+                name: error.name,
+                message: error.message,
+                error: error.error,
+                error_description: error.error_description,
+                error_uri: error.error_uri,
+                response: error.response?.body ?? error.response,
+            });
             throw createOidcError(OidcErrorCodes.TOKEN_EXCHANGE_FAILED, `Token exchange failed: ${error.message}`, {
                 originalError: error.message,
                 errorCode: error.error,
@@ -184,8 +202,17 @@ export class OidcProvider {
 
         try {
             const userinfo = await this.client!.userinfo(accessToken);
+            // Raw response from the UserInfo endpoint, before any mapping/merging.
+            oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo endpoint response`, userinfo);
             return userinfo;
         } catch (error: any) {
+            oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo error`, {
+                name: error.name,
+                message: error.message,
+                error: error.error,
+                error_description: error.error_description,
+                response: error.response?.body ?? error.response,
+            });
             throw createOidcError(OidcErrorCodes.USERINFO_FAILED, `UserInfo request failed: ${error.message}`, {
                 originalError: error.message,
             });
@@ -214,7 +241,6 @@ export class OidcProvider {
                 const userinfo = await this.getUserInfo(tokenSet.accessToken);
                 // Merge UserInfo claims with ID token claims
                 claims = { ...claims, ...userinfo };
-                oidcLog.trace(`Provider "${this.config.issuer}": merged claims after UserInfo`, claims);
             } catch (error) {
                 // UserInfo is optional - continue with ID token claims only
                 oidcLog.warn(`Failed to fetch UserInfo from ${userinfoUrl}, using ID token claims only:`, error);

package/src/providers/ProviderRegistry.ts

@@ -80,10 +80,8 @@ export class ProviderRegistry {
         );
 
         // Create and initialize provider
-        oidcLog.debug(`Provider "${providerName}": initializing OIDC client`);
         const provider = new OidcProvider(config);
         await provider.initialize();
-        oidcLog.debug(`Provider "${providerName}": initialized successfully`);
 
         // Cache the instance
         this.providerInstances.set(providerName, provider);