fix: disable /loaduser

client/src/app/oidc.ts

@@ -7,6 +7,7 @@ export const OIDC_SERVER_URL = isAuthServerEmbedded
   ? ENV.OIDC_SERVER_EMBEDDED_PATH || "/auth/realms/trustify"
   : ENV.OIDC_SERVER_URL || "http://localhost:8090/realms/trustify";
 export const OIDC_CLIENT_ID = ENV.OIDC_CLIENT_ID || "frontend";
+export const OIDC_LOAD_USER = ENV.OIDC_LOAD_USER === "true";
 
 // Cognito requires client_id + logout_uri.
 // Keycloak ignores both (uses id_token_hint + post_logout_redirect_uri added by oidc-client-ts instead) and follows the OIDC RP-Initiated Logout spec.
@@ -23,6 +24,6 @@ export const oidcClientSettings: OidcClientSettings = {
   redirect_uri: window.location.origin,
   post_logout_redirect_uri: window.location.origin,
   response_type: "code",
-  loadUserInfo: true,
+  loadUserInfo: OIDC_LOAD_USER,
   scope: ENV.OIDC_SCOPE || "openid",
 };

common/src/environment.ts

@@ -40,6 +40,9 @@ export type TrustificationEnvType = {
   /** The Keycloak Realm */
   OIDC_SERVER_EMBEDDED_PATH?: string;
 
+  /** Whether or not call to /loaduser endpoint on Auth flow */
+  OIDC_LOAD_USER?: "true" | "false";
+
   /** Target URL for the UI server's `/api` proxy */
   TRUSTIFY_API_URL?: string;
 
@@ -68,6 +71,7 @@ export const buildTrustificationEnv = ({
   AUTH_REQUIRED = "true",
   OIDC_CLIENT_ID,
   OIDC_SCOPE,
+  OIDC_LOAD_USER = "true",
 
   UI_INGRESS_PROXY_BODY_SIZE = "500m",
   TRUSTIFY_API_URL,
@@ -81,6 +85,7 @@ export const buildTrustificationEnv = ({
   OIDC_SERVER_URL,
   OIDC_SERVER_IS_EMBEDDED,
   OIDC_SERVER_EMBEDDED_PATH,
+  OIDC_LOAD_USER,
   AUTH_REQUIRED,
   OIDC_CLIENT_ID,
   OIDC_SCOPE,

crate/src/lib.rs

@@ -28,6 +28,9 @@ pub struct UI {
 
     #[serde(rename(serialize = "OIDC_SCOPE"))]
     pub oidc_scope: String,
+
+    #[serde(rename(serialize = "OIDC_LOAD_USER"))]
+    pub oidc_load_user: String,
 }
 
 pub fn trustify_ui_resources() -> HashMap<&'static str, Resource> {