if an email is configured then use that

Author: chrisw-dev

internal/handlers/token.go

@@ -88,7 +88,7 @@ func (h *TokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idToken, err := generateIDToken(h.issuerURL, clientID)
+	idToken, err := h.generateIDToken(h.issuerURL, clientID)
 	if err != nil {
 		log.Printf("Error generating ID token: %v", err)
 		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
@@ -139,11 +139,21 @@ func generateRefreshToken(clientID string) string {
 }
 
 // Helper function to generate a mock ID token
-func generateIDToken(issuerURL, clientID string) (string, error) {
+func (h *TokenHandler) generateIDToken(issuerURL, clientID string) (string, error) {
 	// Generate a subject ID based on client ID
 	sub := "user-" + clientID
-	// Generate a default email based on client ID
-	email := clientID + "@example.com"
-
+	
+	// Check if there's a configured email in the token config
+	var email string
+	tokenConfig := h.store.GetTokenConfig()
+	if tokenConfig != nil {
+		if userInfoConfig, ok := tokenConfig["user_info"].(map[string]interface{}); ok {
+			if configuredEmail, ok := userInfoConfig["email"].(string); ok {
+				email = configuredEmail
+			}
+		}
+	}
+	
+	// If no email is configured, pass empty string (don't default to generated email)
 	return jwt.GenerateIDToken(issuerURL, clientID, sub, email)
 }

internal/jwt/jwt.go

@@ -52,7 +52,11 @@ func GenerateIDToken(issuer, clientID, sub, email string) (string, error) {
 		"exp":   now.Add(time.Hour).Unix(),
 		"iat":   now.Unix(),
 		"nonce": generateNonce(),
-		"email": email,
+	}
+	
+	// Only include email claim if an email is provided
+	if email != "" {
+		claims["email"] = email
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)