How to issue Email claim in ID token (w/o "email" scope)?

I am trying to integrate Auth0 with SharePoint Subscription Edition using OIDC.

SP SE can integrate with IdPs that supports OIDC. Once configured, SP SE will initiate an authorization request to the authorization endpoint with the scope “openid” only to request for an ID token.

The challenge I am facing is Auth0 does not issue the email claim in the ID token unless “email” is specified in the scope. i.e. scope=“openid email”. I cannot change how SharePoint issue the request to include email scope. I cannot add the email claim as custom claim because SP would not recognize “https://namespace/email” as an identity claim.

Any trick to issue the email claim in ID token without specifying email scope?

BTW: I know I probably could use WS-Fed to integrate with SP. Though I have a requirement to use only OIDC. Integrating SP SE with other providers using OIDC was a breeze, not so with Auth0. The first roadblock I came across was Auth0 OIDC Discovery endpoint does not publish “end_session_endpoint” and this is required by SP for auto-config. I know it is not required by OIDC spec but SP requires it and all other IdPs I used publishes it for the app registration. I ended up having to manually configure the token issuer in SP with PowerShell which is no joy because I have to update the config when the cert gets rotated or users will not be able to login.

Hi there @samwongacn welcome to the community!

As far as I’m aware, there’s no way to get an email claim without specifying the email scope in the request - Unfortunately, omitting the scope but attempting to add the claim manually is not allowed given the fact that email is a standard protected claim.

It’s curious that SharePoint doesn’t support including the email scope - Are you able to point me in the direction of the specific documentation regarding this?

Let me know!