fix: ensure all OIDC providers return a correct profile shape

packages/core/src/providers/apple.ts

@@ -166,7 +166,7 @@ export default function Apple<P extends AppleProfile>(
         id: profile.sub,
         name: profile.name,
         email: profile.email,
-        image: null,
+        image: profile.picture ?? null,
       }
     },
     style: {

packages/core/src/providers/asgardeo.ts

@@ -116,6 +116,14 @@ export default function Asgardeo(
       bg: "#000",
       text: "#fff",
     },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture ?? null,
+      }
+    },
     options: config,
   }
 }

packages/core/src/providers/auth0.ts

@@ -123,6 +123,14 @@ export default function Auth0(
     id: "auth0",
     name: "Auth0",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/auth0.svg", text: "#fff", bg: "#EB5424" },
     options: config,
   }

packages/core/src/providers/authentik.ts

@@ -89,6 +89,14 @@ export default function Authentik<P extends AuthentikProfile>(
     id: "authentik",
     name: "Authentik",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture ?? null,
+      }
+    },
     options,
   }
 }

packages/core/src/providers/battlenet.ts

@@ -91,8 +91,8 @@ export default function BattleNet<P extends BattleNetProfile>(
       return {
         id: profile.sub,
         name: profile.battle_tag,
-        email: null,
-        image: null,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
       }
     },
     style: { logo: "/battlenet.svg", bg: "#148eff", text: "#fff" },

packages/core/src/providers/cognito.ts

@@ -80,6 +80,14 @@ export default function Cognito<P extends CognitoProfile>(
     id: "cognito",
     name: "Cognito",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/cognito.svg", bg: "#fff", text: "#C17B9E" },
     options,
   }

packages/core/src/providers/descope.ts

@@ -16,7 +16,7 @@ import type { OIDCConfig, OIDCUserConfig } from "./index.js"
 /** The returned user profile from Descope when using the profile callback.
  * [See Load User](https://docs.descope.com/api/openapi/usermanagement/operation/LoadUser/)
  */
-export interface DescopeProfile {
+export interface DescopeProfile extends Record<string, any> {
   /** The user's unique Descope ID */
   sub: string
   /** The user's name */
@@ -98,14 +98,22 @@ export interface DescopeProfile {
  * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
  * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
  */
-export default function Descope(
-  config: OIDCUserConfig<DescopeProfile>
-): OIDCConfig<DescopeProfile> {
+export default function Descope<P extends DescopeProfile>(
+  config: OIDCUserConfig<P>
+): OIDCConfig<P> {
   return {
     id: "descope",
     name: "Descope",
     type: "oidc",
     issuer: `https://api.descope.com/${config.clientId}`,
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: {
       logo: "/descope.svg",
       bg: "#1C1C23",

packages/core/src/providers/duende-identity-server6.ts

@@ -90,6 +90,14 @@ export default function DuendeIdentityServer6<P extends DuendeISUser>(
     id: "duende-identity-server6",
     name: "DuendeIdentityServer6",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     options,
   }
 }

packages/core/src/providers/google.ts

@@ -142,6 +142,14 @@ export default function Google<P extends GoogleProfile>(
     name: "Google",
     type: "oidc",
     issuer: "https://accounts.google.com",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/google.svg", bg: "#fff", text: "#000" },
     options,
   }

packages/core/src/providers/identity-server4.ts

@@ -67,6 +67,14 @@ export default function IdentityServer4(
     id: "identity-server4",
     name: "IdentityServer4",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     options,
   }
 }

packages/core/src/providers/keycloak.ts

@@ -99,6 +99,14 @@ export default function Keycloak<P extends KeycloakProfile>(
     id: "keycloak",
     name: "Keycloak",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/keycloak.svg", bg: "#fff", text: "#000" },
     options,
   }

packages/core/src/providers/line.ts

@@ -90,6 +90,14 @@ export default function LINE<P extends LineProfile>(
     client: {
       id_token_signed_response_alg: "HS256",
     },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/line.svg", bg: "#00C300", text: "#fff" },
     options,
   }

packages/core/src/providers/okta.ts

@@ -98,8 +98,16 @@ export default function Okta<P extends OktaProfile>(
     id: "okta",
     name: "Okta",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
+    checks: ["pkce", "state"],
     style: { logo: "/okta.svg", bg: "#000", text: "#fff" },
-    checks: ['pkce', 'state'],
     options,
   }
 }

packages/core/src/providers/onelogin.ts

@@ -65,6 +65,14 @@ export default function OneLogin(
     name: "OneLogin",
     type: "oidc",
     wellKnown: `${config.issuer}/oidc/2/.well-known/openid-configuration`,
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     options: config,
   }
 }

packages/core/src/providers/ory-hydra.ts

@@ -78,6 +78,14 @@ export default function OryHydra<P extends OryHydraProfile>(
     id: "hydra",
     name: "Hydra",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: {
       logo: "/ory.svg",
       logoDark: "/ory-dark.svg",

packages/core/src/providers/passage.ts

@@ -12,7 +12,7 @@
 import type { OAuthConfig, OAuthUserConfig } from "./index.js"
 
 /** @see [Supported Scopes](https://docs.passage.id/hosted-login/oidc-client-configuration#supported-scopes) */
-export interface PassageProfile {
+export interface PassageProfile extends Record<string, any> {
   iss: string
   /** Unique identifer in Passage for the user */
   sub: string
@@ -81,14 +81,22 @@ export interface PassageProfile {
  *
  * :::
  */
-export default function Passage(
-  config: OAuthUserConfig<PassageProfile>
-): OAuthConfig<PassageProfile> {
+export default function Passage<P extends PassageProfile>(
+  config: OAuthUserConfig<P>
+): OAuthConfig<P> {
   return {
     id: "passage",
     name: "Passage",
     type: "oidc",
     client: { token_endpoint_auth_method: "client_secret_basic" },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: {
       logo: "/passage.svg",
       bg: "#fff",

packages/core/src/providers/slack.ts

@@ -106,6 +106,14 @@ export default function Slack<P extends SlackProfile>(
     name: "Slack",
     type: "oidc",
     issuer: "https://slack.com",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/slack.svg", bg: "#000", text: "#fff" },
     options,
   }

packages/core/src/providers/twitch.ts

@@ -113,6 +113,14 @@ export default function Twitch(
         }
       },
     },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     style: { logo: "/twitch.svg", bg: "#65459B", text: "#fff" },
     options: config,
   }

packages/core/src/providers/united-effects.ts

@@ -82,6 +82,14 @@ export default function UnitedEffects<P extends UnitedEffectsProfile>(
     authorization: {
       params: { scope: "openid email profile", resource: options.issuer },
     },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     options,
   }
 }

packages/core/src/providers/zitadel.ts

@@ -118,6 +118,14 @@ export default function ZITADEL<P extends ZitadelProfile>(
     id: "zitadel",
     name: "ZITADEL",
     type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: profile.picture ?? null,
+      }
+    },
     options,
   }
 }