I am trying to integrate Auth0 with SharePoint Subscription Edition using OIDC.
SP SE can integrate with IdPs that supports OIDC. Once configured, SP SE will initiate an authorization request to the authorization endpoint with the scope “openid” only to request for an ID token.
The challenge I am facing is Auth0 does not issue the email claim in the ID token unless “email” is specified in the scope. i.e. scope=“openid email”. I cannot change how SharePoint issue the request to include email scope. I cannot add the email claim as custom claim because SP would not recognize “https://namespace/email” as an identity claim.
Any trick to issue the email claim in ID token without specifying email scope?
BTW: I know I probably could use WS-Fed to integrate with SP. Though I have a requirement to use only OIDC. Integrating SP SE with other providers using OIDC was a breeze, not so with Auth0. The first roadblock I came across was Auth0 OIDC Discovery endpoint does not publish “end_session_endpoint” and this is required by SP for auto-config. I know it is not required by OIDC spec but SP requires it and all other IdPs I used publishes it for the app registration. I ended up having to manually configure the token issuer in SP with PowerShell which is no joy because I have to update the config when the cert gets rotated or users will not be able to login.