Compatibility issue with Kakao OpenID Connect

Context:
I am attempting to integrate Kakao Login (one of the largest social login providers in South Korea) into my Flutter application using Appwrite's Generic OIDC provider. Kakao supports OpenID Connect (OIDC) standard endpoints, but has strict constraints regarding scope names.

The Problem:

1. Appwrite's Generic OIDC server-side implementation enforces/appends standard scopes: openid, profile, and email to the authorization URL by default.
2. Even if I pass custom scopes from the client-side SDK (e.g., scopes: ['openid', 'profile_nickname', 'account_email'] in Flutter's createOAuth2Session), the Appwrite server still appends the default profile and email scopes to the request sent to Kakao.
3. Kakao strictly validates requested scopes. It does not recognize the standard profile or email scopes. Instead, it uses custom scope names: profile_nickname (or profile_image) and account_email.
4. Because the standard profile and email scopes are included in the request, Kakao rejects it immediately with an invalid_scope error (Error Code: KOE205), making it impossible to use the Generic OIDC adapter.

Suggested Solution:

• Provide a configuration field in the Appwrite Console under the Generic OIDC settings to customize or override the default scopes.
• Exceptional edit configuration for Kakao.
• Or, ensure that the scopes parameter passed from the client-side SDK completely overrides (rather than appends to) the default server-side scopes (openid, profile, email) for the OIDC provider.
  This will greatly improve OIDC compatibility with local identity providers like Kakao that enforce strict, non-standard scope validation.

interesting , yes it does seem like only openid is the default mandatory scope

profile and email are widely followed but not enforced by the rfc

cc @Meldiron

From what I remember, all OAuth providers we support require email scope. Thats reason why we didnt have Twitter back in the days, and why some like TikTok or Steam are recommended with serverless functions instead of official option.
cc @user , after our introduction of phone and anonyous users, maybe we can lift this limitation. But lets be 100% certain

for profile, agree, that should be optional. I recall we only use it for name.
Plus we could introduce more, I think OIDC also has "phone" commonly, maybe others that could be used by Appwrite to better fill user details.

kakao seems to just have a different named scope called “account_email” etc

Thank you for your interest in this topic. By the way, I noticed that a contributor was asking something about adding a Kakao provider. Would you be able to respond to him regarding that as well?

https://github.com/appwrite/appwrite/issues/9972#issuecomment-4661575772

I do like idea of ability to map to custom scope names. Maybe even attributes (name, email, .. in /userinfo) under advanced settings in OIDC provider. I think I saw such UI in some of other backends, but cant remember which.

Also, if goal here is to support Kakao, maybe we can add native support for it, for even easier time for other devs using Kakao.

sounds good, i remember @Venom trying to work on native oauth provider for kakao 👀