From a3f2a52feaccc6d889fd67cf337787dea261bc76 Mon Sep 17 00:00:00 2001
From: afsu <suaf2020@163.com>
Date: Tue, 29 Apr 2025 14:18:05 +0800
Subject: [PATCH] docs: clarify that AdditionalClaims may come from id_token or
 userinfo endpoint

Signed-off-by: afsu <suaf2020@163.com>
---
 docs/docs/configuration/alpha_config.md | 2 +-
 pkg/apis/options/providers.go           | 2 +-
 providers/providers.go                  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md
index 9fecc41d..b92b42f1 100644
--- a/docs/docs/configuration/alpha_config.md
+++ b/docs/docs/configuration/alpha_config.md
@@ -526,7 +526,7 @@ Provider holds all configuration for a single provider
 | `scope` | _string_ | Scope is the OAuth scope specification |
 | `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
 | `code_challenge_method` | _string_ | The code challenge method |
-| `additionalClaims` | _[]string_ | Additional claims to be obtained from the `id_token`. |
+| `additionalClaims` | _[]string_ | Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured. |
 | `backendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |
 
 ### ProviderType
diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go
index cc6daa82..f734469e 100644
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@@ -134,7 +134,7 @@ type Provider struct {
 	// The code challenge method
 	CodeChallengeMethod string `yaml:"code_challenge_method,omitempty"`
 
-	// Additional claims to be obtained from the `id_token`.
+	// Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured.
 	AdditionalClaims []string `json:"additionalClaims,omitempty"`
 
 	// URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session
diff --git a/providers/providers.go b/providers/providers.go
index ee925314..af8dd4e4 100644
--- a/providers/providers.go
+++ b/providers/providers.go
@@ -84,7 +84,7 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 		ClientSecret:            providerConfig.ClientSecret,
 		ClientSecretFile:        providerConfig.ClientSecretFile,
 		AuthRequestResponseMode: providerConfig.AuthRequestResponseMode,
-		// additional claims to be extracted from the ID Token
+		// Additional claims to be obtained from the upstream IDP, either from the id_token or from the userinfo endpoint if configured.
 		AdditionalClaims: providerConfig.AdditionalClaims,
 	}