Hi, thank you for this project! Would it be possible to use a claim other than preferred_username when mapping the user?
Use case: I am trying to use my Synology NAS as OIDC provider, it has a built-in package called SSO Server which can do this. Unfortunately, it does not provide preferred_username as a claim, instead it appears to use username.
From the well known URL for Synology NAS:
{
"authorization_endpoint" : "https://nasexample.host/webman/sso/SSOOauth.cgi",
"claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ],
"code_challenge_methods_supported" : [ "S256", "plain" ],
"grant_types_supported" : [ "authorization_code", "implicit" ],
"id_token_signing_alg_values_supported" : [ "RS256" ],
"issuer" : "https://nasexample.host/webman/sso",
"jwks_uri" : "https://nasexample.host/webman/sso/openid-jwks.json",
"response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ],
"scopes_supported" : [ "email", "groups", "openid" ],
"subject_types_supported" : [ "public" ],
"token_endpoint" : "https://nasexample.host/webman/sso/SSOAccessToken.cgi",
"token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
"userinfo_endpoint" : "https://nasexample.host/webman/sso/SSOUserInfo.cgi"
}Note: There is no configuration possible on the Synology NAS side to, for example, change the claims. It is baked in, as-is.
I was able to in general get tinyauth working with the Synology NAS using the generic setup, however, I am not getting the username in tinyauth, example log line below:
tinyauth | 2025-09-23T20:36:27.459435476Z 2025-09-23T20:36:27Z DBG Got user user={"email":"someemail@host.com","groups":["group1","group2"],"name":"","preferred_username":""}
I am getting the email for this user, and I know in the docs tinyauth can generate a stand-in username based on the email however two points specific to the Synology NAS 1. A user's email can be blank and 2. A user's email is non-unique (i.e. on this system multiple users can be created with the same email)
Working Example: As an example of this working, I also setup Jellyfin using the community created SSO plugin also using the Synology NAS as OIDC provider. In their plugin they have the option to specify custom scopes as well as explicitly set which claim to use for the username. When I set the claim to username there, I can see the usernames coming through with that setup. Here is an example of how I setup the config there just as an example:
Possible enhancement: Maybe an environment variable could be added which overrides the preferred_username field to some custom value, like:
OAUTH_CUSTOM_USERCLAIM=username
Hi, thank you for this project! Would it be possible to use a claim other than
preferred_usernamewhen mapping the user?Use case: I am trying to use my Synology NAS as OIDC provider, it has a built-in package called SSO Server which can do this. Unfortunately, it does not provide
preferred_usernameas a claim, instead it appears to useusername.From the well known URL for Synology NAS:
{ "authorization_endpoint" : "https://nasexample.host/webman/sso/SSOOauth.cgi", "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ], "code_challenge_methods_supported" : [ "S256", "plain" ], "grant_types_supported" : [ "authorization_code", "implicit" ], "id_token_signing_alg_values_supported" : [ "RS256" ], "issuer" : "https://nasexample.host/webman/sso", "jwks_uri" : "https://nasexample.host/webman/sso/openid-jwks.json", "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ], "scopes_supported" : [ "email", "groups", "openid" ], "subject_types_supported" : [ "public" ], "token_endpoint" : "https://nasexample.host/webman/sso/SSOAccessToken.cgi", "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ], "userinfo_endpoint" : "https://nasexample.host/webman/sso/SSOUserInfo.cgi" }Note: There is no configuration possible on the Synology NAS side to, for example, change the claims. It is baked in, as-is.
I was able to in general get tinyauth working with the Synology NAS using the generic setup, however, I am not getting the username in tinyauth, example log line below:
tinyauth | 2025-09-23T20:36:27.459435476Z 2025-09-23T20:36:27Z DBG Got user user={"email":"someemail@host.com","groups":["group1","group2"],"name":"","preferred_username":""}I am getting the email for this user, and I know in the docs tinyauth can generate a stand-in username based on the email however two points specific to the Synology NAS 1. A user's email can be blank and 2. A user's email is non-unique (i.e. on this system multiple users can be created with the same email)
Working Example: As an example of this working, I also setup Jellyfin using the community created SSO plugin also using the Synology NAS as OIDC provider. In their plugin they have the option to specify custom scopes as well as explicitly set which claim to use for the username. When I set the claim to username there, I can see the usernames coming through with that setup. Here is an example of how I setup the config there just as an example:
Possible enhancement: Maybe an environment variable could be added which overrides the preferred_username field to some custom value, like:
OAUTH_CUSTOM_USERCLAIM=username