From e075009ba5946d731cc74dfdd7c24577fd1920b5 Mon Sep 17 00:00:00 2001
From: Yadd <yadd@debian.org>
Date: Wed, 8 Jan 2025 14:15:37 +0100
Subject: [PATCH] Add patch for buggy OIDC providers

---
 Changes.md                        |   1 +
 full/Dockerfile                   |   1 +
 full/oidc-op-claims.patch         | 314 ++++++++++++++++++++++++++++++
 manager/Dockerfile                |   1 +
 manager/oidc-op-claims.patch      | 314 ++++++++++++++++++++++++++++++
 portal/Dockerfile                 |   1 +
 portal/oidc-op-claims.patch       |  31 +++
 tmp/Dockerfile                    |  52 +++++
 uwsgi-portal/Dockerfile           |   1 +
 uwsgi-portal/oidc-op-claims.patch |  31 +++
 10 files changed, 747 insertions(+)
 create mode 100644 full/oidc-op-claims.patch
 create mode 100644 manager/oidc-op-claims.patch
 create mode 100644 portal/oidc-op-claims.patch
 create mode 100644 tmp/Dockerfile
 create mode 100644 uwsgi-portal/oidc-op-claims.patch

diff --git a/Changes.md b/Changes.md
index 5ddefe1..3e2e309 100644
--- a/Changes.md
+++ b/Changes.md
@@ -4,6 +4,7 @@
 * Add "Last-Modified" header for OIDC metadata
 * Add hook to modify refresh\_token
 * Fix offline sessions count
+* Add patch for buggy OIDC providers
 
 ## v2.20.1-1 _(2024-11-19)_
 * Update to 2.20.1
diff --git a/full/Dockerfile b/full/Dockerfile
index 97cecbc..7e30fac 100644
--- a/full/Dockerfile
+++ b/full/Dockerfile
@@ -27,6 +27,7 @@ RUN \
     echo patch globalLogout.patch && patch -p1 < globalLogout.patch && \
     echo patch metadata-ttl.patch && patch -p1 < metadata-ttl.patch && \
     echo patch fix-sessions-count.patch && patch -p1 <fix-sessions-count.patch && \
+    echo patch oidc-op-claims.patch && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch && \
     LLNG_DEFAULTCONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini \
     perl -MLemonldap::NG::Manager::Build -e 'Lemonldap::NG::Manager::Build->run( \
diff --git a/full/oidc-op-claims.patch b/full/oidc-op-claims.patch
new file mode 100644
index 0000000..f2044e8
--- /dev/null
+++ b/full/oidc-op-claims.patch
@@ -0,0 +1,314 @@
+diff --git a/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm b/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
+index 55a19f8b9..be720fa24 100644
+--- a/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
++++ b/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -5051,6 +5051,14 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
+             default       => 0,
+             documentation => 'Use PKCE with this OP',
+         },
++        oidcOPMetaDataOptionsIDTokenForceClaims => {
++            type => 'bool',
++            documentation => "Use data from ID token instead of user_info endmoint",
++        },
++        oidcOPMetaDataOptionsAccessTokenClaims => {
++            type => 'bool',
++            documentation => "Use data from access token instead of user_info endmoint",
++        },
+ 
+         # OpenID Connect relying parties
+         oidcRPMetaDataExportedVars => {
+diff --git a/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm b/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
+index a117adc0f..cdd0a8a7a 100644
+--- a/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
++++ b/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
+@@ -200,7 +200,9 @@ sub cTrees {
+                             'oidcOPMetaDataOptionsTokenEndpointAuthMethod',
+                             'oidcOPMetaDataOptionsCheckJWTSignature',
+                             'oidcOPMetaDataOptionsIDTokenMaxAge',
+-                            'oidcOPMetaDataOptionsUseNonce'
++                            'oidcOPMetaDataOptionsUseNonce',
++                            'oidcOPMetaDataOptionsIDTokenForceClaims',
++                            'oidcOPMetaDataOptionsAccessTokenClaims',
+                         ]
+                     },
+                     'oidcOPMetaDataOptionsComment'
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
+index 7753c2261..4c8b66821 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":" أوبين أيدي كونيكت بروفيدر",
+ "oidcOPMetaDataNodes":" أوبين أيدي كونيكت بروفيدر",
+ "oidcOPMetaDataOptions":"الخيارات",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"قيم أل ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"عرض",
+ "oidcOPMetaDataOptionsDisplayName":"اسم",
+ "oidcOPMetaDataOptionsDisplayParams":"عرض",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"الحد الأقصى لعمر تعريف التوكن",
+ "oidcOPMetaDataOptionsIcon":"شعار",
+ "oidcOPMetaDataOptionsJWKSTimeout":"مهلة بيانات JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
+index ccb9e0be1..3ff552d65 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID Connect Providers",
+ "oidcOPMetaDataNodes":"OpenID Connect Providers",
+ "oidcOPMetaDataOptions":"Options",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR values",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Display",
+ "oidcOPMetaDataOptionsDisplayName":"Name",
+ "oidcOPMetaDataOptionsDisplayParams":"Display",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Token max age",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS data timeout",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
+index 4acaf2893..c71a62d88 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Proveedores de conexión OpenID",
+ "oidcOPMetaDataNodes":"Proveedores de conexión OpenID",
+ "oidcOPMetaDataOptions":"Opciones",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Display",
+ "oidcOPMetaDataOptionsDisplayName":"Nombre",
+ "oidcOPMetaDataOptionsDisplayParams":"Display",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Caducidad de token ID",
+ "oidcOPMetaDataOptionsIcon":"Logotipo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Caducidad de datos JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
+index 4d3a35d78..0d1af2880 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Fournisseurs OpenID Connect",
+ "oidcOPMetaDataNodes":"Fournisseurs OpenID Connect",
+ "oidcOPMetaDataOptions":"Options",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Utiliser les attributs du jeton d'accès",
+ "oidcOPMetaDataOptionsAcrValues":"Valeurs ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Methode d'authentification pour demande le code d'autorisation",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algorithme de signature pour l'authentification du code autorisation",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Affichage",
+ "oidcOPMetaDataOptionsDisplayName":"Nom d'affichage",
+ "oidcOPMetaDataOptionsDisplayParams":"Affichage",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Utiliser les attributs du jeton d'identité",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Age maximum du jeton d'identité",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Durée de vie des données JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
+index c2147e920..e5c163366 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"ספקי OpenID Connect",
+ "oidcOPMetaDataNodes":"ספקי OpenID Connect",
+ "oidcOPMetaDataOptions":"אפשרויות",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR values",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"תצוגה",
+ "oidcOPMetaDataOptionsDisplayName":"שם",
+ "oidcOPMetaDataOptionsDisplayParams":"תצוגה",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Token max age",
+ "oidcOPMetaDataOptionsIcon":"לוגו",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS data timeout",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
+index e7739f3dd..d2e358224 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provider di OpenID Connect",
+ "oidcOPMetaDataNodes":"Provider di OpenID Connect",
+ "oidcOPMetaDataOptions":"Opzioni",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valori ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Visualizza",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Visualizza",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Eta massima dell'ID della Token",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Timeout dei dati di JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
+index c81061a7c..42963c38a 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Dostawcy OpenID Connect",
+ "oidcOPMetaDataNodes":"Dostawcy OpenID Connect",
+ "oidcOPMetaDataOptions":"Opcje",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Wartości ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Wyświetlanie",
+ "oidcOPMetaDataOptionsDisplayName":"Nazwa",
+ "oidcOPMetaDataOptionsDisplayParams":"Wyświetlanie",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Maksymalny czas ważności tokena identyfikacyjnego",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Limit czasu danych JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
+index 81ee2650e..63b73134e 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provedores OpenID Connect",
+ "oidcOPMetaDataNodes":"Provedores OpenID Connect",
+ "oidcOPMetaDataOptions":"Opções",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Método de autenticação para solicitação de código de autorização",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algoritmo de assinatura para solicitação de código de autorização",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Exibir",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Exibir",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Idade máxima do Token do ID",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"expiração de dados JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
+index bd25b2371..2bae96433 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provedores OpenID Connect",
+ "oidcOPMetaDataNodes":"Provedores OpenID Connect",
+ "oidcOPMetaDataOptions":"Opções",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Método de autenticação para solicitação de código de autorização",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algoritmo de assinatura para solicitação de código de autorização",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Exibir",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Exibir",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Idade máxima do Token do ID",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"expiração de dados JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
+index 2a9787ba8..1aa02e797 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Провайдеры OpenID Connect",
+ "oidcOPMetaDataNodes":"Провайдеры OpenID Connect",
+ "oidcOPMetaDataOptions":"Настройки",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Значения ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Отображение",
+ "oidcOPMetaDataOptionsDisplayName":"Название",
+ "oidcOPMetaDataOptionsDisplayParams":"Отображение",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Максимальный возраст токена ID",
+ "oidcOPMetaDataOptionsIcon":"Лого",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Время ожидания данных JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
+index d51d7353d..f383f762a 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID Connect Sağlayıcıları",
+ "oidcOPMetaDataNodes":"OpenID Connect Sağlayıcıları",
+ "oidcOPMetaDataOptions":"Seçenekler",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR değerleri",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Görüntüle",
+ "oidcOPMetaDataOptionsDisplayName":"Ad",
+ "oidcOPMetaDataOptionsDisplayParams":"Görüntüle",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Jetonu maksimum ömrü",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS verisi zaman aşımı",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
+index 4e43d5b5f..f40c5db83 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Nhà cung cấp Kết nối OpenID",
+ "oidcOPMetaDataNodes":"Nhà cung cấp Kết nối OpenID",
+ "oidcOPMetaDataOptions":"Tùy chọn",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Giá trị ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Hiển thị",
+ "oidcOPMetaDataOptionsDisplayName":"Tên",
+ "oidcOPMetaDataOptionsDisplayParams":"Hiển thị",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Thời hạn ID Token",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Thời gian chờ của dữ liệu JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
+index 85ade8ee5..d88ec3c5d 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID 連線提供者",
+ "oidcOPMetaDataNodes":"OpenID 連線提供者",
+ "oidcOPMetaDataOptions":"選項",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR 值",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"顯示",
+ "oidcOPMetaDataOptionsDisplayName":"名稱",
+ "oidcOPMetaDataOptionsDisplayParams":"顯示",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID 權杖最大時間",
+ "oidcOPMetaDataOptionsIcon":"圖示",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS 資料逾時",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
+index feac3503f..b9704bb99 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID 連線提供者",
+ "oidcOPMetaDataNodes":"OpenID 連線提供者",
+ "oidcOPMetaDataOptions":"選項",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR 值",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"顯示",
+ "oidcOPMetaDataOptionsDisplayName":"名稱",
+ "oidcOPMetaDataOptionsDisplayParams":"顯示",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID 權杖最大時間",
+ "oidcOPMetaDataOptionsIcon":"圖示",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS 資料逾時",
diff --git a/manager/Dockerfile b/manager/Dockerfile
index d323810..249f807 100644
--- a/manager/Dockerfile
+++ b/manager/Dockerfile
@@ -34,6 +34,7 @@ RUN \
     echo patch globalLogout.patch && patch -p1 < globalLogout.patch && \
     echo patch metadata-ttl.patch && patch -p1 < metadata-ttl.patch && \
     echo patch fix-sessions-count.patch && patch -p1 <fix-sessions-count.patch && \
+    echo patch oidc-op-claims.patch && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch && \
     LLNG_DEFAULTCONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini \
     perl -MLemonldap::NG::Manager::Build -e 'Lemonldap::NG::Manager::Build->run( \
diff --git a/manager/oidc-op-claims.patch b/manager/oidc-op-claims.patch
new file mode 100644
index 0000000..f2044e8
--- /dev/null
+++ b/manager/oidc-op-claims.patch
@@ -0,0 +1,314 @@
+diff --git a/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm b/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
+index 55a19f8b9..be720fa24 100644
+--- a/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
++++ b/usr/share/perl5/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -5051,6 +5051,14 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
+             default       => 0,
+             documentation => 'Use PKCE with this OP',
+         },
++        oidcOPMetaDataOptionsIDTokenForceClaims => {
++            type => 'bool',
++            documentation => "Use data from ID token instead of user_info endmoint",
++        },
++        oidcOPMetaDataOptionsAccessTokenClaims => {
++            type => 'bool',
++            documentation => "Use data from access token instead of user_info endmoint",
++        },
+ 
+         # OpenID Connect relying parties
+         oidcRPMetaDataExportedVars => {
+diff --git a/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm b/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
+index a117adc0f..cdd0a8a7a 100644
+--- a/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
++++ b/usr/share/perl5/Lemonldap/NG/Manager/Build/CTrees.pm
+@@ -200,7 +200,9 @@ sub cTrees {
+                             'oidcOPMetaDataOptionsTokenEndpointAuthMethod',
+                             'oidcOPMetaDataOptionsCheckJWTSignature',
+                             'oidcOPMetaDataOptionsIDTokenMaxAge',
+-                            'oidcOPMetaDataOptionsUseNonce'
++                            'oidcOPMetaDataOptionsUseNonce',
++                            'oidcOPMetaDataOptionsIDTokenForceClaims',
++                            'oidcOPMetaDataOptionsAccessTokenClaims',
+                         ]
+                     },
+                     'oidcOPMetaDataOptionsComment'
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
+index 7753c2261..4c8b66821 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ar.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":" أوبين أيدي كونيكت بروفيدر",
+ "oidcOPMetaDataNodes":" أوبين أيدي كونيكت بروفيدر",
+ "oidcOPMetaDataOptions":"الخيارات",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"قيم أل ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"عرض",
+ "oidcOPMetaDataOptionsDisplayName":"اسم",
+ "oidcOPMetaDataOptionsDisplayParams":"عرض",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"الحد الأقصى لعمر تعريف التوكن",
+ "oidcOPMetaDataOptionsIcon":"شعار",
+ "oidcOPMetaDataOptionsJWKSTimeout":"مهلة بيانات JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
+index ccb9e0be1..3ff552d65 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/en.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID Connect Providers",
+ "oidcOPMetaDataNodes":"OpenID Connect Providers",
+ "oidcOPMetaDataOptions":"Options",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR values",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Display",
+ "oidcOPMetaDataOptionsDisplayName":"Name",
+ "oidcOPMetaDataOptionsDisplayParams":"Display",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Token max age",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS data timeout",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
+index 4acaf2893..c71a62d88 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/es.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Proveedores de conexión OpenID",
+ "oidcOPMetaDataNodes":"Proveedores de conexión OpenID",
+ "oidcOPMetaDataOptions":"Opciones",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Display",
+ "oidcOPMetaDataOptionsDisplayName":"Nombre",
+ "oidcOPMetaDataOptionsDisplayParams":"Display",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Caducidad de token ID",
+ "oidcOPMetaDataOptionsIcon":"Logotipo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Caducidad de datos JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
+index 4d3a35d78..0d1af2880 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/fr.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Fournisseurs OpenID Connect",
+ "oidcOPMetaDataNodes":"Fournisseurs OpenID Connect",
+ "oidcOPMetaDataOptions":"Options",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Utiliser les attributs du jeton d'accès",
+ "oidcOPMetaDataOptionsAcrValues":"Valeurs ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Methode d'authentification pour demande le code d'autorisation",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algorithme de signature pour l'authentification du code autorisation",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Affichage",
+ "oidcOPMetaDataOptionsDisplayName":"Nom d'affichage",
+ "oidcOPMetaDataOptionsDisplayParams":"Affichage",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Utiliser les attributs du jeton d'identité",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Age maximum du jeton d'identité",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Durée de vie des données JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
+index c2147e920..e5c163366 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/he.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"ספקי OpenID Connect",
+ "oidcOPMetaDataNodes":"ספקי OpenID Connect",
+ "oidcOPMetaDataOptions":"אפשרויות",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR values",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"תצוגה",
+ "oidcOPMetaDataOptionsDisplayName":"שם",
+ "oidcOPMetaDataOptionsDisplayParams":"תצוגה",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Token max age",
+ "oidcOPMetaDataOptionsIcon":"לוגו",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS data timeout",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
+index e7739f3dd..d2e358224 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/it.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provider di OpenID Connect",
+ "oidcOPMetaDataNodes":"Provider di OpenID Connect",
+ "oidcOPMetaDataOptions":"Opzioni",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valori ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Visualizza",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Visualizza",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Eta massima dell'ID della Token",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Timeout dei dati di JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
+index c81061a7c..42963c38a 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pl.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Dostawcy OpenID Connect",
+ "oidcOPMetaDataNodes":"Dostawcy OpenID Connect",
+ "oidcOPMetaDataOptions":"Opcje",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Wartości ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Wyświetlanie",
+ "oidcOPMetaDataOptionsDisplayName":"Nazwa",
+ "oidcOPMetaDataOptionsDisplayParams":"Wyświetlanie",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Maksymalny czas ważności tokena identyfikacyjnego",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Limit czasu danych JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
+index 81ee2650e..63b73134e 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provedores OpenID Connect",
+ "oidcOPMetaDataNodes":"Provedores OpenID Connect",
+ "oidcOPMetaDataOptions":"Opções",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Método de autenticação para solicitação de código de autorização",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algoritmo de assinatura para solicitação de código de autorização",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Exibir",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Exibir",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Idade máxima do Token do ID",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"expiração de dados JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
+index bd25b2371..2bae96433 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/pt_BR.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Provedores OpenID Connect",
+ "oidcOPMetaDataNodes":"Provedores OpenID Connect",
+ "oidcOPMetaDataOptions":"Opções",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Valores ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Método de autenticação para solicitação de código de autorização",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Algoritmo de assinatura para solicitação de código de autorização",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Exibir",
+ "oidcOPMetaDataOptionsDisplayName":"Nome",
+ "oidcOPMetaDataOptionsDisplayParams":"Exibir",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Idade máxima do Token do ID",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"expiração de dados JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
+index 2a9787ba8..1aa02e797 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/ru.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Провайдеры OpenID Connect",
+ "oidcOPMetaDataNodes":"Провайдеры OpenID Connect",
+ "oidcOPMetaDataOptions":"Настройки",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Значения ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Отображение",
+ "oidcOPMetaDataOptionsDisplayName":"Название",
+ "oidcOPMetaDataOptionsDisplayParams":"Отображение",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Максимальный возраст токена ID",
+ "oidcOPMetaDataOptionsIcon":"Лого",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Время ожидания данных JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
+index d51d7353d..f383f762a 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/tr.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID Connect Sağlayıcıları",
+ "oidcOPMetaDataNodes":"OpenID Connect Sağlayıcıları",
+ "oidcOPMetaDataOptions":"Seçenekler",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR değerleri",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Görüntüle",
+ "oidcOPMetaDataOptionsDisplayName":"Ad",
+ "oidcOPMetaDataOptionsDisplayParams":"Görüntüle",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID Jetonu maksimum ömrü",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS verisi zaman aşımı",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
+index 4e43d5b5f..f40c5db83 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/vi.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"Nhà cung cấp Kết nối OpenID",
+ "oidcOPMetaDataNodes":"Nhà cung cấp Kết nối OpenID",
+ "oidcOPMetaDataOptions":"Tùy chọn",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"Giá trị ACR",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"Hiển thị",
+ "oidcOPMetaDataOptionsDisplayName":"Tên",
+ "oidcOPMetaDataOptionsDisplayParams":"Hiển thị",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"Thời hạn ID Token",
+ "oidcOPMetaDataOptionsIcon":"Logo",
+ "oidcOPMetaDataOptionsJWKSTimeout":"Thời gian chờ của dữ liệu JWKS",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
+index 85ade8ee5..d88ec3c5d 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID 連線提供者",
+ "oidcOPMetaDataNodes":"OpenID 連線提供者",
+ "oidcOPMetaDataOptions":"選項",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR 值",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"顯示",
+ "oidcOPMetaDataOptionsDisplayName":"名稱",
+ "oidcOPMetaDataOptionsDisplayParams":"顯示",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID 權杖最大時間",
+ "oidcOPMetaDataOptionsIcon":"圖示",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS 資料逾時",
+diff --git a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
+index feac3503f..b9704bb99 100644
+--- a/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
++++ b/usr/share/lemonldap-ng/manager/htdocs/static/languages/zh_TW.json
+@@ -695,6 +695,7 @@
+ "oidcOPMetaDataNode":"OpenID 連線提供者",
+ "oidcOPMetaDataNodes":"OpenID 連線提供者",
+ "oidcOPMetaDataOptions":"選項",
++"oidcOPMetaDataOptionsAccessTokenClaims":"Use claims from Access Token",
+ "oidcOPMetaDataOptionsAcrValues":"ACR 值",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthMethod":"Authentication method for authorization code request",
+ "oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg":"Signature algorithm for authorization code authentication",
+@@ -707,6 +708,7 @@
+ "oidcOPMetaDataOptionsDisplay":"顯示",
+ "oidcOPMetaDataOptionsDisplayName":"名稱",
+ "oidcOPMetaDataOptionsDisplayParams":"顯示",
++"oidcOPMetaDataOptionsIDTokenForceClaims":"Use claims from ID Token",
+ "oidcOPMetaDataOptionsIDTokenMaxAge":"ID 權杖最大時間",
+ "oidcOPMetaDataOptionsIcon":"圖示",
+ "oidcOPMetaDataOptionsJWKSTimeout":"JWKS 資料逾時",
diff --git a/portal/Dockerfile b/portal/Dockerfile
index b3b9299..3810714 100644
--- a/portal/Dockerfile
+++ b/portal/Dockerfile
@@ -38,6 +38,7 @@ RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch \
     matrix-token.patch redirect-ajax.patch \
     metadata-ttl.patch getreftoken.patch \
+    oidc-op-claims.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \
diff --git a/portal/oidc-op-claims.patch b/portal/oidc-op-claims.patch
new file mode 100644
index 0000000..9c75537
--- /dev/null
+++ b/portal/oidc-op-claims.patch
@@ -0,0 +1,31 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
+@@ -42,7 +42,27 @@ sub getUser {
+         return PE_ERROR;
+     }
+ 
+-    my $userinfo_content = $self->getUserInfo( $op, $access_token );
++    my $userinfo_content;
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
++        $userinfo_content =
++          eval { JSON::from_fson( MIME::Base64::decode_base64url($tmp) ) };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
++        eval {
++            $tmp = JSON::from_fson( MIME::Base64::decode_base64url($tmp) );
++            $userinfo_content =
++              $userinfo_content
++              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
++              : $tmp;
++        };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    unless ($userinfo_content) {
++        $userinfo_content = $self->getUserInfo( $op, $access_token );
++    }
+ 
+     unless ($userinfo_content) {
+         $self->logger->warn("No User Info content");
diff --git a/tmp/Dockerfile b/tmp/Dockerfile
new file mode 100644
index 0000000..82a2eef
--- /dev/null
+++ b/tmp/Dockerfile
@@ -0,0 +1,52 @@
+ARG DEBIANVERSION=bookworm
+
+FROM debian:${DEBIANVERSION}-slim as debian-backports-updated
+
+ENV DEBIAN_VERSION=bookworm
+
+RUN echo "# Install packages from ${DEBIAN_VERSION}" && \
+    apt-get -y update && \
+    apt-get -y install xz-utils && \
+    apt-get -y upgrade
+
+FROM debian-backports-updated as debian-with-lemon
+
+RUN apt-get -y --no-install-recommends install procps cron \
+    liblemonldap-ng-common-perl \
+    liblemonldap-ng-handler-perl \
+        lemonldap-ng-uwsgi-app \
+        liblemonldap-ng-portal-perl \
+	liblemonldap-ng-manager-perl \
+	apache2-utils \
+    libapache-session-browseable-perl libapache-session-ldap-perl \
+    libapache-session-mongodb-perl libapache-session-sqlite3-perl \
+    libapache-session-wrapper-perl \
+    libdbi-perl libdbd-pg-perl libnet-cidr-perl \
+    libhttp-parser-xs-perl liblwp-protocol-https-perl libstring-random-perl \
+    libconvert-base32-perl libnet-ldap-perl libxml-libxml-perl libxml-simple-perl \
+    libredis-perl libyaml-perl libencode-perl patch \
+        gsfonts patch libconvert-pem-perl \
+        libcrypt-u2f-server-perl libgeoip2-perl \
+        libglib-perl libgssapi-perl libhttp-browserdetect-perl \
+        libimage-magick-perl liblasso-perl libnet-facebook-oauth2-perl \
+        libnet-openid-consumer-perl libnet-openid-server-perl \
+        libnet-oauth-perl libsoap-lite-perl fonts-urw-base35 \
+        libauthen-webauthn-perl libcrypt-openssl-bignum-perl \
+        libconvert-base32-perl libio-string-perl libipc-run-perl \
+        libgd-securityimage-perl libmime-tools-perl libnet-ldap-perl \
+        libio-socket-timeout-perl libunicode-string-perl liblasso-perl \
+        libio-string-perl libemail-sender-perl libregexp-common-perl \
+        libcrypt-jwt-perl libdigest-hmac-perl libdata-password-zxcvbn-perl \
+        libhttp-browserdetect-perl libnet-dns-perl \
+        uwsgi uwsgi-plugin-psgi nginx libnginx-mod-http-lua
+
+RUN (echo ""; echo "daemon off;") >> /etc/nginx/nginx.conf && \
+    perl -i -pe 's#access_log .*;#access_log /dev/stdout;#; s#error_log .*;#error_log /dev/stdout info;#' /etc/nginx/nginx.conf
+
+COPY start /
+
+COPY install /
+
+CMD ["/usr/sbin/nginx"]
+
+ENTRYPOINT ["./start"]
diff --git a/uwsgi-portal/Dockerfile b/uwsgi-portal/Dockerfile
index 46741f5..b20d584 100644
--- a/uwsgi-portal/Dockerfile
+++ b/uwsgi-portal/Dockerfile
@@ -36,6 +36,7 @@ RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch \
     matrix-token.patch redirect-ajax.patch \
     metadata-ttl.patch getreftoken.patch \
+    oidc-op-claims.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \
diff --git a/uwsgi-portal/oidc-op-claims.patch b/uwsgi-portal/oidc-op-claims.patch
new file mode 100644
index 0000000..9c75537
--- /dev/null
+++ b/uwsgi-portal/oidc-op-claims.patch
@@ -0,0 +1,31 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
+@@ -42,7 +42,27 @@ sub getUser {
+         return PE_ERROR;
+     }
+ 
+-    my $userinfo_content = $self->getUserInfo( $op, $access_token );
++    my $userinfo_content;
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
++        $userinfo_content =
++          eval { JSON::from_fson( MIME::Base64::decode_base64url($tmp) ) };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
++        eval {
++            $tmp = JSON::from_fson( MIME::Base64::decode_base64url($tmp) );
++            $userinfo_content =
++              $userinfo_content
++              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
++              : $tmp;
++        };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    unless ($userinfo_content) {
++        $userinfo_content = $self->getUserInfo( $op, $access_token );
++    }
+ 
+     unless ($userinfo_content) {
+         $self->logger->warn("No User Info content");