update

apps/account/next.config.js

@@ -22,6 +22,14 @@ const nextConfig = {
       'abs.twimg.com'
     ],
   },
+  async rewrites() {
+    return [
+      {
+        source: '/.well-known/openid-configuration',
+        destination: '/api/oidc/.well-known/openid-configuration',
+      },
+    ];
+  },
   transpilePackages: ['next-auth'],
   experimental: {
     missingSuspenseWithCSRBailout: false,

apps/account/src/lib/external-oidc/findAccount.ts

@@ -1,13 +1,13 @@
-import { KoaContextWithOIDC, Account, ClaimsParameterMember, FindAccount, AccountClaims } from 'oidc-provider';
+import { KoaContextWithOIDC, Account, AccountClaims } from 'oidc-provider';
 import { fdb } from '../googlecloud/db';
 
 interface LocalAccount {
   id: string;
   displayName?: string;
   email?: string;
-  verifiedEmails?: string[];  // Array of verified emails
+  verifiedEmails?: string[];
   phone?: string;
-  verifiedPhones?: string[];    // Array of verified phones
+  verifiedPhones?: string[];
   birthdate?: string;
   firstName?: string;
   lastName?: string;
@@ -50,18 +50,17 @@ async function findAccount(ctx: KoaContextWithOIDC, id: string): Promise<Account
     accountId: account.id,
     async claims(use: string, scope: string): Promise<AccountClaims> {
       const claims: AccountClaims = {
-        sub: account.id ?? id,
-        id: account.id ?? id,
-        displayName: account.displayName,
+        sub: account.id,
+        name: account.displayName,
         email: account.email,
-        verifiedEmails: account.verifiedEmails,
-        phone: account.phone,
-        verifiedPhones: account.verifiedPhones,
+        email_verified: account.verifiedEmails?.includes(account.email ?? '') ?? false,
+        phone_number: account.phone,
+        phone_number_verified: account.verifiedPhones?.includes(account.phone ?? '') ?? false,
         birthdate: account.birthdate,
-        firstName: account.firstName,
-        lastName: account.lastName,
+        given_name: account.firstName,
+        family_name: account.lastName,
         locale: account.locale,
-        photoURL: account.photoURL,
+        picture: account.photoURL,
       };
       return claims;
     },

apps/account/src/lib/external-oidc/index.ts

@@ -17,6 +17,23 @@ export function createOidcProvider() {
     // No pre-configured clients, clients should be registered as needed
     clients: [],
 
+    // Allow CORS requests from any origin
+    clientBasedCORS: () => true,
+
+    // Enable and configure OIDC features
+    features: {
+      devInteractions: { enabled: false },
+
+      deviceFlow: { enabled: true },
+      revocation: { enabled: true },
+      introspection: { enabled: true },
+      webMessageResponseMode: { enabled: true },
+      claimsParameter: { enabled: true },
+    },
+
+    // Enables rotating refresh tokens
+    rotateRefreshToken: true,
+
     // Define routes for various OIDC endpoints
     routes: {
       authorization: '/api/oidc/auth',
@@ -43,29 +60,30 @@ export function createOidcProvider() {
       response_types: ['code', 'id_token'],
     },
 
-    // Allow CORS requests from any origin
-    clientBasedCORS: () => true,
-
-    // Enable and configure OIDC features
-    features: {
-      devInteractions: { enabled: false },
-
-      deviceFlow: { enabled: true },
-      revocation: { enabled: true },
-      introspection: { enabled: true },
-      webMessageResponseMode: { enabled: true },
-      claimsParameter: { enabled: true },
-    },
-
-    // Enables rotating refresh tokens
-    rotateRefreshToken: true,
-
     // Defines the available claims and their scopes
     claims: {
-      address: ['address'],
-      email: ['email', 'verifiedEmails'],
-      phone: ['phone', 'verifiedPhone'],
-      profile: ['id', 'birthdate', 'firstName', 'gender', 'lastName', 'locale', 'displayName', 'photoURL'],
+      profile: [
+        'sub',            // Subject Identifier (User ID)
+        'name',           // Full name
+        'given_name',     // First name
+        'family_name',    // Last name
+        'preferred_username', // Username or display name
+        'picture',        // Profile picture URL
+        'birthdate',      // Date of birth
+        'locale',         // User's locale
+        'updated_at'      // Profile last updated timestamp
+      ],
+      email: [
+        'email',          // Email address
+        'email_verified'  // Email verification status
+      ],
+      phone: [
+        'phone_number',   // Phone number
+        'phone_number_verified' // Phone number verification status
+      ],
+      address: [
+        'address'         // Physical address
+      ]
     },
     // Define extra parameters for handling scope dynamically
     extraParams: {

apps/account/src/pages/api/oidc/.well-known/openid-configuration.ts

@@ -0,0 +1,26 @@
+import type { NextApiRequest, NextApiResponse } from 'next';
+import { createOidcProvider } from '@/lib/external-oidc';
+
+const provider = createOidcProvider();
+
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  try {
+
+    // Rewrite URL to point to the OpenID Connect configuration path
+    req.url = '/.well-known/openid-configuration';
+
+    // Pass the request and response to the OIDC provider
+    await provider.callback()(req, res);
+
+  } catch (error) {
+    console.error(`[OIDC] Error handling .well-known request:`, error);
+    res.status(500).json({ error: 'Internal Server Error' });
+  }
+}
+
+// Disable body parsing as oidc-provider expects raw body
+export const config = {
+  api: {
+    bodyParser: false,
+  },
+};

apps/account/src/pages/api/oidc/[...slug].ts

@@ -6,14 +6,6 @@ const provider = createOidcProvider();
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   try {
-    const { slug } = req.query;
-
-    // Set caching headers to disable caching
-    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
-    res.setHeader('Pragma', 'no-cache');
-    res.setHeader('Expires', '0');
-    res.setHeader('Surrogate-Control', 'no-store');
-
     await provider.callback()(req, res);
   } catch (error) {
     console.error(`[OIDC] Error handling request at path ${req.url}:`, error);

apps/account/tsconfig.json

@@ -38,7 +38,7 @@
     "src/auth.ts",
     "src/lib/internal-auth/googledb-adapter",
     "build/types/**/*.ts"
-  ],
+, "src/pages/api/oidc/.well-known/openid-configuration.ts"  ],
   "exclude": [
     "node_modules"
   ]

apps/myaccount/myaccount-web-app/src/app/(me)/security/multiaccount/page.tsx

@@ -7,6 +7,7 @@ import { DropdownMenu, DropdownMenuTrigger, DropdownMenuContent, DropdownMenuIte
 import { signIn, getSession } from "next-auth/react";
 import { Skeleton } from "@/components/ui/skeleton";
 import Image from "next/image";
+import { UserService } from "@/service";
 
 interface Provider {
   icon: string;
@@ -37,12 +38,15 @@ const ConnectedAccounts: React.FC = () => {
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
 
+  const userService = UserService();
+
   useEffect(() => {
     const fetchAccounts = async () => {
       try {
         const session = await getSession();
-        if (session?.user?.accounts) {
-          setAccounts(Object.values(session.user.accounts));
+        const user = await userService.getUserProfile(session?.accessToken!);
+        if (user?.accounts) {
+          setAccounts(Object.values(user?.accounts));
         }
       } catch (err: unknown) {
         if (err instanceof Error) {

apps/myaccount/myaccount-web-app/src/app/(me)/security/verify/page.tsx

@@ -9,6 +9,7 @@ import { Input } from "@/components/ui/input";
 import { Skeleton } from "@/components/ui/skeleton";
 import { ShieldCheck, X } from "lucide-react";
 import { Separator } from "@/components/ui/separator";
+import { UserService } from "@/service";
 
 interface EmailListProps {
   emails: string[];
@@ -175,12 +176,16 @@ const VerifiedEmails: React.FC = () => {
   const [isOtpSent, setIsOtpSent] = useState(false);
   const [emailToDelete, setEmailToDelete] = useState<string | null>(null);
 
+  const userService = UserService();
+
   useEffect(() => {
     const fetchEmails = async () => {
       try {
         const session = await getSession();
-        if (session?.user?.verifiedEmails) {
-          setEmails(session.user.verifiedEmails);
+        const user = await userService.getUserProfile(session?.accessToken!);
+
+        if (user?.verifiedEmails) {
+          setEmails(user.verifiedEmails);
         }
       } catch (err) {
         handleError(error);

apps/myaccount/myaccount-web-app/src/app/api/me/profile/get/route.ts

@@ -10,7 +10,7 @@ export async function GET(request: NextRequest): Promise<NextResponse> {
       return NextResponse.json({ message: 'Not authenticated' }, { status: 401 });
     }
 
-    const userId = session.user.id; // Adjust based on how your session stores the user ID
+    const userId = session.user.id!; // Adjust based on how your session stores the user ID
 
     const userDoc = await usersCollection(firestore).doc(userId).get();
 

apps/myaccount/myaccount-web-app/src/app/api/me/profile/update/preferences/appearance/route.ts

@@ -10,7 +10,7 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
       return NextResponse.json({ message: 'Not authenticated' }, { status: 401 });
     }
 
-    const userId = session.user.id; // Adjust based on how your session stores the user ID
+    const userId = session.user.id!; // Adjust based on how your session stores the user ID
     const data = await request.json();
     console.log(data);
 

apps/myaccount/myaccount-web-app/src/app/api/me/profile/update/preferences/notifications/route.ts

@@ -10,7 +10,7 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
       return NextResponse.json({ message: 'Not authenticated' }, { status: 401 });
     }
 
-    const userId = session.user.id; // Adjust based on how your session stores the user ID
+    const userId = session.user.id!; // Adjust based on how your session stores the user ID
     const data = await request.json();
 
     const validFields = {