From fcefc6eedfec405af86028910a261fbd2eac6e7a Mon Sep 17 00:00:00 2001
From: SollalF <64600280+SollalF@users.noreply.github.com>
Date: Tue, 5 Aug 2025 02:49:36 +0800
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat:=20Add=20OpenID=20Audience=20P?=
 =?UTF-8?q?arameter=20(#8837)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ✨ feat: Add OpenID audience parameter support in authorization requests

* Updated .env.example to include OPENID_AUDIENCE variable for configuration.
* Enhanced openidStrategy to set the audience parameter in authorization requests if specified, improving OpenID integration.

* Update .env.example

* Update openidStrategy.js

---------

Co-authored-by: Danny Avila <danacordially@gmail.com>
---
 .env.example                     | 2 ++
 api/strategies/openidStrategy.js | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/.env.example b/.env.example
index 23777fe26..d0435c746 100644
--- a/.env.example
+++ b/.env.example
@@ -442,6 +442,8 @@ OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 OPENID_USERNAME_CLAIM=
 # Set to determine which user info property returned from OpenID Provider to store as the User's name
 OPENID_NAME_CLAIM=
+# Optional audience parameter for OpenID authorization requests
+OPENID_AUDIENCE=
 
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
index 605f0b054..f2151f3df 100644
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@@ -104,6 +104,14 @@ class CustomOpenIDStrategy extends OpenIDStrategy {
     if (options?.state && !params.has('state')) {
       params.set('state', options.state);
     }
+
+    if (process.env.OPENID_AUDIENCE) {
+      params.set('audience', process.env.OPENID_AUDIENCE);
+      logger.debug(
+        `[openidStrategy] Adding audience to authorization request: ${process.env.OPENID_AUDIENCE}`,
+      );
+    }
+
     return params;
   }
 }