fix(security): fix OIDC user identifier

Fixes #58941

Author: vincentchalamon

AccessToken/Oidc/OidcTokenHandler.php

@@ -92,7 +92,11 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             }
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
-            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
+            return new UserBadge($claims[$this->claim], new FallbackUserLoader(function () use ($claims) {
+                $claims['user_identifier'] = $claims[$this->claim];
+
+                return $this->createUser($claims);
+            }), $claims);
         } catch (\Exception $e) {
             $this->logger?->error('An error occurred while decoding and validating the token.', [
                 'error' => $e->getMessage(),

AccessToken/Oidc/OidcUserInfoTokenHandler.php

@@ -47,7 +47,11 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             }
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
-            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
+            return new UserBadge($claims[$this->claim], new FallbackUserLoader(function () use ($claims) {
+                $claims['user_identifier'] = $claims[$this->claim];
+
+                return $this->createUser($claims);
+            }), $claims);
         } catch (\Exception $e) {
             $this->logger?->error('An error occurred on OIDC server.', [
                 'error' => $e->getMessage(),

Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

@@ -47,7 +47,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
             'email' => '[email protected]',
         ];
         $token = $this->buildJWS(json_encode($claims));
-        $expectedUser = new OidcUser(...$claims);
+        $expectedUser = new OidcUser(...$claims, userIdentifier: $claims[$claim]);
 
         $loggerMock = $this->createMock(LoggerInterface::class);
         $loggerMock->expects($this->never())->method('error');
@@ -66,7 +66,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
         $this->assertInstanceOf(OidcUser::class, $actualUser);
         $this->assertEquals($expectedUser, $actualUser);
         $this->assertEquals($claims, $userBadge->getAttributes());
-        $this->assertEquals($claims['sub'], $actualUser->getUserIdentifier());
+        $this->assertEquals($claims[$claim], $actualUser->getUserIdentifier());
     }
 
     public static function getClaims(): iterable

Tests/AccessToken/Oidc/OidcUserInfoTokenHandlerTest.php

@@ -33,7 +33,7 @@ public function testGetsUserIdentifierFromOidcServerResponse(string $claim, stri
             'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
             'email' => '[email protected]',
         ];
-        $expectedUser = new OidcUser(...$claims);
+        $expectedUser = new OidcUser(...$claims, userIdentifier: $claims[$claim]);
 
         $responseMock = $this->createMock(ResponseInterface::class);
         $responseMock->expects($this->once())
@@ -52,7 +52,7 @@ public function testGetsUserIdentifierFromOidcServerResponse(string $claim, stri
         $this->assertInstanceOf(OidcUser::class, $actualUser);
         $this->assertEquals($expectedUser, $actualUser);
         $this->assertEquals($claims, $userBadge->getAttributes());
-        $this->assertEquals($claims['sub'], $actualUser->getUserIdentifier());
+        $this->assertEquals($claims[$claim], $actualUser->getUserIdentifier());
     }
 
     public static function getClaims(): iterable