profile 클레임 구조 확장

2026-06-17 11:50:34 +09:00
parent fd05c049d3
commit efab2a7291
3 changed files with 111 additions and 33 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -1040,7 +1040,7 @@ func normalizePhoneForLoginID(phone string) string {
 	return domain.NormalizePhoneNumber(phone)
 }

-func buildOidcClaimsFromTraits(traits map[string]any, scopes []string, tenantID string) map[string]any {
+func buildOidcClaimsFromTraits(traits map[string]any, scopes []string, tenantID string, profileStatus string) map[string]any {
 	claims := map[string]any{}
 	if traits == nil {
 		return claims
@@ -1089,31 +1089,27 @@ func buildOidcClaimsFromTraits(traits map[string]any, scopes []string, tenantID

 	if _, ok := scopeSet["profile"]; ok {
 		profile := map[string]any{}
-		names := map[string]any{}
-		for _, key := range []string{
-			"name",
-			"displayname",
-			"preferred_username",
-			"given_name",
-			"family_name",
-			"middle_name",
-			"nickname",
-		} {
-			if value := getString(key); value != "" {
-				names[key] = value
-			}
+		displayProfileName := displayName
+		if displayProfileName != "" {
+			profile["name"] = displayProfileName
 		}
-		if len(names) > 0 {
-			profile["names"] = names
+		if primaryEmail != "" {
+			profile["email"] = primaryEmail
 		}
-
-		emails := collectEmailList(traits, primaryEmail)
-		if len(emails) > 0 {
-			profile["emails"] = emails
+		if secondaryEmails := collectStringValues(traits, "sub_email", "secondary_emails", "additional_emails", "aliasEmails", "worksmobileAliasEmails"); len(secondaryEmails) > 0 {
+			profile["secondary_emails"] = secondaryEmails
 		}
 		if phone := getString("phone_number"); phone != "" {
 			profile["phones"] = []string{phone}
 		}
+		if employeeID := getString("employee_id"); employeeID != "" {
+			profile["employee_id"] = employeeID
+		}
+		if trimmedStatus := strings.TrimSpace(profileStatus); trimmedStatus != "" {
+			if normalizedStatus := strings.TrimSpace(domain.NormalizeUserStatus(trimmedStatus)); normalizedStatus != "" {
+				profile["status"] = normalizedStatus
+			}
+		}
 		if len(profile) > 0 {
 			claims["profile"] = profile
 		}
@@ -1218,13 +1214,63 @@ func withRefreshTokenExpiryClaim(claims map[string]any, issuedAt time.Time) map[
 	return claims
 }

-func composeOIDCSessionClaims(client domain.HydraClient, traits map[string]any, scopes []string, tenantID string, sessionID string) map[string]any {
-	claims := buildOidcClaimsFromTraits(traits, scopes, tenantID)
+func composeOIDCSessionClaims(client domain.HydraClient, traits map[string]any, scopes []string, tenantID string, sessionID string, profileStatus string) map[string]any {
+	claims := buildOidcClaimsFromTraits(traits, scopes, tenantID, profileStatus)
 	claims = applyConfiguredIDTokenClaims(claims, client.Metadata)
 	claims = withRefreshTokenExpiryClaim(claims, time.Now())
 	return withOidcSessionMetadata(claims, sessionID)
 }

+func collectStringValues(traits map[string]any, keys ...string) []string {
+	values := make([]string, 0)
+	seen := make(map[string]struct{})
+	add := func(raw string) {
+		value := strings.TrimSpace(raw)
+		if value == "" {
+			return
+		}
+		if _, ok := seen[value]; ok {
+			return
+		}
+		seen[value] = struct{}{}
+		values = append(values, value)
+	}
+	for _, key := range keys {
+		raw, ok := traits[key]
+		if !ok || raw == nil {
+			continue
+		}
+		switch value := raw.(type) {
+		case string:
+			add(value)
+		case []string:
+			for _, item := range value {
+				add(item)
+			}
+		case []any:
+			for _, item := range value {
+				add(fmt.Sprint(item))
+			}
+		}
+	}
+	return values
+}
+
+func (h *AuthHandler) resolveProfileStatus(ctx context.Context, subject string) string {
+	if h == nil || h.UserRepo == nil {
+		return ""
+	}
+	subject = strings.TrimSpace(subject)
+	if subject == "" {
+		return ""
+	}
+	user, err := h.UserRepo.FindByID(ctx, subject)
+	if err != nil || user == nil {
+		return ""
+	}
+	return domain.NormalizeUserStatus(user.Status)
+}
+
 func applyGlobalCustomClaims(baseClaims map[string]any, traits map[string]any) map[string]any {
 	if baseClaims == nil {
 		baseClaims = map[string]any{}
@@ -6298,6 +6344,7 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 						consentRequest.RequestedScope,
 						representativeTenantIDFromTraits(identity.Traits),
 						currentSessionID,
+						h.resolveProfileStatus(c.Context(), consentRequest.Subject),
 					)
 					sessionClaims = h.withHanmacFamilyTenantClaims(c.Context(), sessionClaims, identity.Traits, consentRequest.RequestedScope)
 					sessionClaims = h.withRPUserMetadataClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)
@@ -6336,6 +6383,7 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 				consentRequest.RequestedScope,
 				representativeTenantIDFromTraits(identity.Traits),
 				currentSessionID,
+				h.resolveProfileStatus(c.Context(), consentRequest.Subject),
 			)
 			sessionClaims = h.withHanmacFamilyTenantClaims(c.Context(), sessionClaims, identity.Traits, consentRequest.RequestedScope)
 			sessionClaims = h.withRPUserMetadataClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)
@@ -6527,6 +6575,7 @@ func (h *AuthHandler) AcceptConsentRequest(c *fiber.Ctx) error {
 		consentRequest.RequestedScope,
 		representativeTenantIDFromTraits(identity.Traits),
 		currentSessionID,
+		h.resolveProfileStatus(c.Context(), consentRequest.Subject),
 	)
 	sessionClaims = h.withHanmacFamilyTenantClaims(c.Context(), sessionClaims, identity.Traits, consentRequest.RequestedScope)
 	sessionClaims = h.withRPUserMetadataClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)