retrieveProfile for Xero Oauth2 id_token

Greetings - I’m currently trying to authenticate to the Xero API using Forge external-auth. I can get most of the way through the OAuth2 flow but currently stumped at how to configure retrieveProfile for this case…

Xero does not (apparently) have an API to fetch the current user details. Instead the user details are provided by xero in a separate JWT (JSON Web Token) alongside the access_token.

The following API call is specified as the exchange action in the providers section of my forge manifest. It produces both the access_token PLUS an id_token in JWT format…

https://identity.xero.com/connect/token

Example response:

{
   "id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6...",
   "access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ij...",
   "expires_in":1800,
   "token_type":"Bearer",
   "refresh_token":"7c59b817313e71725d4043c...",
   "scope":"openid profile email accounting.transactions accounting.contacts accounting.settings offline_access accounting.attachments accounting.journals.read accounting.reports.read"
}

(ref: https://developer.xero.com/documentation/guides/oauth2/auth-flow/)

The id_token contains user details needed for retrieveProfile but I’m not sure how I am supposed to specify the mandatory retrieveProfile configuration in my forge manifest

Could anyone point me in the right direction?

manifest.yml attached for reference:

modules:
  macro:
    - key: hello-xero-app-hello-world
      function: main
      title: hello-xero-app
      description: Inserts Hello world!
  function:
    - key: main
      handler: index.run
      providers:
        auth:
          - xero
app:
  id: ari:cloud:ecosystem::app/d2d1dcb5-604a-44de-a590-faab9717434e
providers:
  auth:
    - key: xero
      name: Xero
      scopes:
        - 'openid'
        - 'profile'
        - 'email'
        - 'accounting.settings'
        - 'accounting.reports.read'
        - 'accounting.journals.read'
        - 'accounting.contacts'
        - 'accounting.attachments'
        - 'accounting.transactions'
        - 'offline_access'
      type: oauth2
      clientId: SECRET_SQUIRREL
      remotes:
        - xero-apis
      bearerMethod: authorization-header
      actions:
        authorization:
          remote: xero-account
          path: /identity/connect/authorize
        exchange:
          remote: xero-oauth
          path: /connect/token
        revokeToken:
          remote: xero-oauth
          path: /connect/revocation
        retrieveProfile:
          remote: UNKNOWN
          path: UNKNOWN
          resolvers:
            id: UNKNOWN
            displayName: UNKNOWN
remotes:
  - key: xero-apis
    baseUrl: https://api.xero.com
  - key: xero-account
    baseUrl: https://login.xero.com
  - key: xero-oauth
    baseUrl: https://identity.xero.com
permissions:
  external:
    fetch:
      backend:
        - 'https://api.xero.com'
        - 'https://login.xero.com'
        - 'https://identity.xero.com'