Standardizing the OAUTH2.0 JWT payload
The service assumes an "email" attribute is present in the JWT payload, and attempts to get the "email" attribute. See here in /src/shared/utils.ts. There is not a standardized naming convention for this attribute, it could be "email", or "username", etc.
When using the sdutil to upload data with the
--idtoken= parameter, the service silently handles an error, and returns a cryptic response:
The service should send a request to the
/userInfo/ OAUTH2.0 endpoint to determine what this custom email attribute is, and then get it from the JWT dynamically to avoid naming conflicts between cloud providers and identity provider services.
Here is an existing implementation of using this flow to first discover the custom email attribute, and then get it from the JWT payload: https://community.opengroup.org/osdu/platform/system/lib/cloud/aws/os-core-lib-aws/-/blob/master/src/main/java/org/opengroup/osdu/core/aws/entitlements/Authorizer.java#L121