Deprecate UserIDClaim in config and docs

providers/oidc.go

@@ -42,7 +42,7 @@ func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code string) (*s
 	}
 	token, err := c.Exchange(ctx, code)
 	if err != nil {
-		return nil, fmt.Errorf("token exchange failure: %v", err)
+		return nil, fmt.Errorf("token exchange failed: %v", err)
 	}
 
 	return p.createSession(ctx, token, false)

providers/provider_data.go

@@ -15,6 +15,11 @@ import (
 	"golang.org/x/oauth2"
 )
 
+const (
+	OIDCEmailClaim  = "email"
+	OIDCGroupsClaim = "groups"
+)
+
 // ProviderData contains information required to configure all implementations
 // of OAuth2 providers
 type ProviderData struct {
@@ -154,7 +159,7 @@ func (p *ProviderData) buildSessionFromClaims(idToken *oidc.IDToken) (*sessions.
 
 	// `email_verified` must be present and explicitly set to `false` to be
 	// considered unverified.
-	verifyEmail := (p.EmailClaim == emailClaim) && !p.AllowUnverifiedEmail
+	verifyEmail := (p.EmailClaim == OIDCEmailClaim) && !p.AllowUnverifiedEmail
 	if verifyEmail && claims.Verified != nil && !*claims.Verified {
 		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
 	}

providers/provider_default.go

@@ -13,8 +13,6 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 )
 
-const emailClaim = "email"
-
 var (
 	// ErrNotImplemented is returned when a provider did not override a default
 	// implementation method that doesn't have sensible defaults