feat: use global_user_id over sub for vercel_marketplace issuer (#1990)

If [Vercel
Marketplace](https://vercel.com/docs/integrations/create-integration/marketplace-api#user-authentication)
issues an OIDC JWT with `global_user_id` prefer that over `sub`.

Author: hf

internal/api/provider/oidc.go

@@ -356,6 +356,7 @@ func parseKakaoIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, e
 type VercelMarketplaceIDTokenClaims struct {
 	jwt.RegisteredClaims
 
+	GlobalUserID  string `json:"global_user_id"`
 	UserEmail     string `json:"user_email"`
 	UserName      string `json:"user_name"`
 	UserAvatarUrl string `json:"user_avatar_url"`
@@ -376,10 +377,16 @@ func parseVercelMarketplaceIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserPro
 		Primary:  true,
 	})
 
+	subject := token.Subject
+
+	if claims.GlobalUserID != "" {
+		subject = "global_user_id:" + claims.GlobalUserID
+	}
+
 	data.Metadata = &Claims{
 		Issuer:     token.Issuer,
-		Subject:    token.Subject,
-		ProviderId: token.Subject,
+		Subject:    subject,
+		ProviderId: subject,
 		Name:       claims.UserName,
 		Picture:    claims.UserAvatarUrl,
 	}

internal/api/provider/oidc_test.go

@@ -80,6 +80,11 @@ var realIDTokens map[string]realIDToken = map[string]realIDToken{
 		IDToken:     "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlhvdVhMWVExVGlwNW9kWWFqaUN0RlZnVmFFcyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFCWkRuRDkxOTBfc2wxcTZwenZlRHZNIiwiYXVkIjoiYTBkOGY5NzItNTRhYy00YWJmLTkxNGMtNTIyMDE0YzQwMjJhIiwiZXhwIjoxNjk3MzY0NDczLCJpYXQiOjE2OTcyNzc3NzMsIm5iZiI6MTY5NzI3Nzc3MywiZW1haWwiOiJzZGltaXRyb3Zza2lAZ21haWwuY29tIiwidGlkIjoiOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkIiwieG1zX2Vkb3YiOiIxIiwiYWlvIjoiRHBQV3lZSnRJcUl5OHpyVjROIUlIdGtFa09BMDhPS29lZ1RkYmZQUEVPYmxtYk9ESFQ0cGJVcVI1cExraENyWWZ6bUgzb3A1RzN5RGp2M0tNZ0Rad29lQ1FjKmVueldyb21iQ3BuKkR6OEpQOGMxU3pEVG1TbGp4U3U3UnVLTXNZSjRvS1lDazFBSVcqUUNUTmlMWkpUKlN3WWZQcjZBTW9IejFEZ3pBZEFkbk9uWiFHNUNFeEtQalBxcHRuVmpUZlEkJCJ9.CskICxOaeqd4SkiPdWEHJKZVdhAdgzM5SN7K7FYi0dguQH1-v6XTetDIoEsBn0GZoozXjbG2GgkFcVhhBvNA0ZrDIr4KcjfnJ5-7rwX3AtxdQ3umrHRlGu3jlmbDOtWzPWNMLLRXfR1Mm3pHEUvlzqmk3Ffh4TuAmXID-fb-Xmfuuv1k0UsZ5mlr_3ybTPVZk-Lj0bqkR1L5Zzt4HjgfpchRryJ3Y24b4dDsSjg7mgE_5JivgjhtVef5OnqYhKUF1DTy2pFysFO_eRliK6qjouYeZnQOJnWHP1MgpySAOQ3sVcwvE4P9g7V3QouxByZPv-g99N1K4GwZrtdm46gtTQ",
 		Verifier:    azureIDTokenVerifier,
 	},
+	IssuerVercelMarketplace: {
+		AccessToken: "access-token",
+		Time:        time.Unix(1744883141, 0), // 1 sec after iat
+		IDToken:     "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1yay00MzAyZWMxYjY3MGY0OGE5OGFkNjFkYWRlNGEyM2JlNyJ9.eyJpc3MiOiJodHRwczovL21hcmtldHBsYWNlLnZlcmNlbC5jb20iLCJzdWIiOiJhY2NvdW50OmRjYzIyNjJkZTY1ZjRmZGU2NDcyNWRkOWNiYzRjY2RlZjUzZWExNTc0NTU3ODZmNjU0YTdjNjNiZTQ3ZTI2YTE6dXNlcjo3Zjc5YjcwMDdkZWZjNmRlODZkMGQwZTEwMjM0NTlmYTFjMDljYjlhMGM2YzExY2I1YmQyMzRlMWJjZDVjOTkyIiwiYXVkIjoib2FjXzVuYzJGOGk3c3VYc0tmSjVURzc2NVRkeSIsImluc3RhbGxhdGlvbl9pZCI6ImljZmdfQ3hsUjhuRW9HOVc3bFFvSnB4QklFZGR3IiwiYWNjb3VudF9pZCI6ImRjYzIyNjJkZTY1ZjRmZGU2NDcyNWRkOWNiYzRjY2RlZjUzZWExNTc0NTU3ODZmNjU0YTdjNjNiZTQ3ZTI2YTEiLCJ1c2VyX2lkIjoiN2Y3OWI3MDA3ZGVmYzZkZTg2ZDBkMGUxMDIzNDU5ZmExYzA5Y2I5YTBjNmMxMWNiNWJkMjM0ZTFiY2Q1Yzk5MiIsInVzZXJfcm9sZSI6IkFETUlOIiwidXNlcl9lbWFpbCI6ImthbWlsLm9nb3Jla0BnbWFpbC5jb20iLCJnbG9iYWxfdXNlcl9pZCI6IjhyNlptNzFid2V6Z3daMlo1UWVCQm1oOCIsInVzZXJfbmFtZSI6IkthbWlsIE9nw7NyZWsiLCJ1c2VyX2F2YXRhcl91cmwiOiJodHRwczovL3ZlcmNlbC5jb20vYXBpL3d3dy9hdmF0YXIvODRhNzc0OTRjZWUwNjdmZWQyMTZjYzM3ZjY1ZTI1M2Y3OGZhMjgzMSIsIm5iZiI6MTc0NDg4MzE0MCwiaWF0IjoxNzQ0ODgzMTQwLCJleHAiOjE3NDQ4ODY3NDB9.bQ1CrgM7uGDmZs-ioEov9iosE-AFCHvfypasi-wEDEVD2uEcD4xU2C7vIXSLl_DAyIQFxWc7saQOcztiIltgHV3H_mSIBL1J2WKb7IX2dYe3bmxM32YC__vf_IKDzBFU7UufNEQW4fYq0abiej7heA4K_mJjvW_qZD-Skjxv51QdbXmcIUISrsS2jJID2B5cU0euBUV5Sc3sr1gLSrVIGChKROzboKG6Y0rtYAkjywdOGemHVz2aHBzo4uFxF1FcFx0EWGFI1AfNnSV0tP-RSOobfDai6RlCxmExUH2lEJaVrYfk9Hv5qIvbqtgrMv2LtqAydRhXHYmbAJHILmlK8Q",
+	},
 }
 
 func TestParseIDToken(t *testing.T) {