From 5dafef82f252ff4d4bdbd00be83d7d74b660ef3b Mon Sep 17 00:00:00 2001
From: Nicolas Drolet <nicolasd@targointernet.com>
Date: Wed, 3 Dec 2025 14:10:17 -0500
Subject: [PATCH] refactor(auth): make validate method of strategy use parsed
 idToken to work with Authentik JWT payload instead of profile

---
 .../authentication/strategies/authentik.strategy.ts   | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/identity-and-account/authentication/strategies/authentik.strategy.ts b/src/identity-and-account/authentication/strategies/authentik.strategy.ts
index 6609356..5d1c029 100644
--- a/src/identity-and-account/authentication/strategies/authentik.strategy.ts
+++ b/src/identity-and-account/authentication/strategies/authentik.strategy.ts
@@ -49,10 +49,15 @@ export class AuthentikStrategy extends PassportStrategy(OIDCStrategy, 'openidcon
         cb: VerifyCallback,
     ): Promise<any> {
         try {
-            const email = profile.emails?.[0]?.value;
-            if (!email) return cb(new Error('Missing email in OIDC profile'), false);
 
-            const user = await this.authentikAuthService.validateUser(email);
+
+            const components = _idToken.split('.');
+            const payload = Buffer.from(components[1], "base64").toString('utf-8');
+            const claims = JSON.parse(payload);
+
+            if (!claims.email) return cb(new Error('Missing email in OIDC profile'), false);
+
+            const user = await this.authentikAuthService.validateUser(claims.email);
             if (!user) return cb(new Error('User not found'), false);
 
             return cb(null, user);