fix: merge user info claims into id token claims

oidc IDTokenClaims.SetUserInfo did not set the claims map from user info.
This fix merges the claims map into the IDToken Claims map.

pkg/oidc/token.go

@@ -8,6 +8,7 @@ import (
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2"
 
+	"github.com/muhlemmer/gu"
 	"github.com/zitadel/oidc/v2/pkg/crypto"
 )
 
@@ -157,6 +158,11 @@ func (t *IDTokenClaims) SetUserInfo(i *UserInfo) {
 	t.UserInfoEmail = i.UserInfoEmail
 	t.UserInfoPhone = i.UserInfoPhone
 	t.Address = i.Address
+
+	if t.Claims == nil {
+		t.Claims = make(map[string]any, len(t.Claims))
+	}
+	gu.MapMerge(i.Claims, t.Claims)
 }
 
 func (t *IDTokenClaims) GetUserInfo() *UserInfo {
@@ -166,7 +172,7 @@ func (t *IDTokenClaims) GetUserInfo() *UserInfo {
 		UserInfoEmail:   t.UserInfoEmail,
 		UserInfoPhone:   t.UserInfoPhone,
 		Address:         t.Address,
-		Claims:          t.Claims,
+		Claims:          gu.MapCopy(t.Claims),
 	}
 }
 

pkg/oidc/token_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/text/language"
 	"gopkg.in/square/go-jose.v2"
@@ -181,6 +182,7 @@ func TestIDTokenClaims_SetUserInfo(t *testing.T) {
 		UserInfoEmail:   userInfoData.UserInfoEmail,
 		UserInfoPhone:   userInfoData.UserInfoPhone,
 		Address:         userInfoData.Address,
+		Claims:          gu.MapCopy(userInfoData.Claims),
 	}
 
 	var got IDTokenClaims