Custom Claims from scripted API call

[ChevronTango]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I am trying to use GitLab as an OIDC provider and retrieve the project_ids (with prefix and role) as groups. The existing GitLab token only contains project paths as groups. I need some way to call the GitLab API as the user and return a new groups claim which contains the additional information I need.

Proposed Solution

Add in a plugin or scripting system which would allow me to take the existing user_info and access_token and call the GitLab API to retrieve all the additional information I need, and return a new user_info back to the user.

Alternatives Considered

I have actually scripted this setup on a go application, which does precisely this, however for security I'd rather trust an established federation service like Dex, if it can support transforming and augmenting the user_info as I need.

Additional Information

I believe this might be related to, or covered off by #1635

[matzegebbe]

I have a similar requirement and wondered whether DEX should be capable of this or whether it is out of scope. Classic token enrichment like for example, Adding Custom Claims to ID Tokens with Auth0 Actions would be very helpful for us. Is there supposed to be such a function that is calling an API with auth info like username and puts the response in predefined claims?