docs: clarify that AdditionalClaims may come from id_token or userinfo endpoint

Signed-off-by: afsu <suaf2020@163.com>

docs/docs/configuration/alpha_config.md

@@ -526,7 +526,7 @@ Provider holds all configuration for a single provider
 | `scope` | _string_ | Scope is the OAuth scope specification |
 | `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
 | `code_challenge_method` | _string_ | The code challenge method |
-| `additionalClaims` | _[]string_ | Additional claims to be obtained from the `id_token`. |
+| `additionalClaims` | _[]string_ | Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured. |
 | `backendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |
 
 ### ProviderType

pkg/apis/options/providers.go

@@ -134,7 +134,7 @@ type Provider struct {
 	// The code challenge method
 	CodeChallengeMethod string `yaml:"code_challenge_method,omitempty"`
 
-	// Additional claims to be obtained from the `id_token`.
+	// Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured.
 	AdditionalClaims []string `json:"additionalClaims,omitempty"`
 
 	// URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session

providers/providers.go

@@ -84,7 +84,7 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 		ClientSecret:            providerConfig.ClientSecret,
 		ClientSecretFile:        providerConfig.ClientSecretFile,
 		AuthRequestResponseMode: providerConfig.AuthRequestResponseMode,
-		// additional claims to be extracted from the ID Token
+		// Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured.
 		AdditionalClaims: providerConfig.AdditionalClaims,
 	}