From 0494993326ac4df41f2695a1bbcce7acb763370b Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Tue, 8 Sep 2020 10:03:52 -0400
Subject: [PATCH] update oidc documentation and email claim err msg

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 Documentation/connectors/oidc.md | 19 ++++++-------------
 connector/oidc/oidc.go           |  2 +-
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/Documentation/connectors/oidc.md b/Documentation/connectors/oidc.md
index 2ff2a0ba..6fd19184 100644
--- a/Documentation/connectors/oidc.md
+++ b/Documentation/connectors/oidc.md
@@ -78,28 +78,21 @@ connectors:
     # promptType: consent
 
 
-    # Some providers return no standard claim that is different to 
-    # claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims
-    # Use claimMapping to specify custom claim names
+    # Some providers return non-standard claims (eg. mail).
+    # Use claimMapping to map those claims to standard claims:
+    # https://openid.net/specs/openid-connect-core-1_0.html#Claims
+    # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token.
     claimMapping:
-      # The set claim is used as user id.
-      # Default: sub
-      # user_id: nickname
-
-      # The set claim is used as user name.
-      # Default: name
-      # user_name: nickname
-
       # The set claim is used as preferred username.
       # Default: preferred_username
       # preferred_username: other_user_name
 
       # The set claim is used as email.
-      # Default: "email"
+      # Default: email
       # email: mail
 
       # The set claim is used as groups.
-      # Default: "groups"
+      # Default: groups
       # groups: "cognito:groups"
 ```
 
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index f26a390c..4cc44ddb 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -330,7 +330,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	}
 
 	if !found && hasEmailScope {
-		return identity, fmt.Errorf("missing \"%s\" claim", emailKey)
+		return identity, fmt.Errorf("missing email claim, not found \"%s\" key", emailKey)
 	}
 
 	emailVerified, found := claims["email_verified"].(bool)