@@ -206,34 +206,6 @@ func TestUserOAuth2Github(t *testing.T) {
206206 resp := oauth2Callback (t , client )
207207 require .Equal (t , http .StatusTemporaryRedirect , resp .StatusCode )
208208 })
209- t .Run ("Login" , func (t * testing.T ) {
210- t .Parallel ()
211- client := coderdtest .New (t , & coderdtest.Options {
212- GithubOAuth2Config : & coderd.GithubOAuth2Config {
213- OAuth2Config : & oauth2Config {},
214- AllowOrganizations : []string {"coder" },
215- ListOrganizationMemberships : func (ctx context.Context , client * http.Client ) ([]* github.Membership , error ) {
216- return []* github.Membership {{
217- Organization : & github.Organization {
218- Login : github .String ("coder" ),
219- },
220- }}, nil
221- },
222- AuthenticatedUser : func (ctx context.Context , client * http.Client ) (* github.User , error ) {
223- return & github.User {}, nil
224- },
225- ListEmails : func (ctx context.Context , client * http.Client ) ([]* github.UserEmail , error ) {
226- return []* github.UserEmail {{
227- Email : github .String ("testuser@coder.com" ),
228- Verified : github .Bool (true ),
229- }}, nil
230- },
231- },
232- })
233- _ = coderdtest .CreateFirstUser (t , client )
234- resp := oauth2Callback (t , client )
235- require .Equal (t , http .StatusTemporaryRedirect , resp .StatusCode )
236- })
237209 t .Run ("SignupAllowedTeam" , func (t * testing.T ) {
238210 t .Parallel ()
239211 client := coderdtest .New (t , & coderdtest.Options {
@@ -361,6 +333,7 @@ func TestUserOIDC(t *testing.T) {
361333 user , err := client .User (ctx , "me" )
362334 require .NoError (t , err )
363335 require .Equal (t , tc .Username , user .Username )
336+ require .Equal (t , "https://coder.com||hello" , user .LinkedID )
364337 }
365338 })
366339 }
@@ -404,6 +377,27 @@ func TestUserOIDC(t *testing.T) {
404377 resp := oidcCallback (t , client )
405378 require .Equal (t , http .StatusBadRequest , resp .StatusCode )
406379 })
380+
381+ // Test that we do not allow collisions with pre-existing accounts
382+ // of differing login types.
383+ t .Run ("InvalidLoginType" , func (t * testing.T ) {
384+ t .Parallel ()
385+ config := createOIDCConfig (t , jwt.MapClaims {
386+ "email" : "kyle@kwc.io" ,
387+ "email_verified" : true ,
388+ "preferred_username" : "kyle" ,
389+ })
390+
391+ client := coderdtest .New (t , & coderdtest.Options {
392+ OIDCConfig : config ,
393+ })
394+
395+ config .AllowSignups = true
396+ config .EmailDomain = "kwc.io"
397+
398+ resp := oidcCallback (t , client )
399+ assert .Equal (t , http .StatusConflict , resp .StatusCode )
400+ })
407401}
408402
409403// createOIDCConfig generates a new OIDCConfig that returns a static token
@@ -415,11 +409,13 @@ func createOIDCConfig(t *testing.T, claims jwt.MapClaims) *coderd.OIDCConfig {
415409
416410 // https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
417411 claims ["exp" ] = time .Now ().Add (time .Hour ).UnixMilli ()
412+ claims ["iss" ] = "https://coder.com"
413+ claims ["sub" ] = "hello"
418414
419415 signed , err := jwt .NewWithClaims (jwt .SigningMethodRS256 , claims ).SignedString (key )
420416 require .NoError (t , err )
421417
422- verifier := oidc .NewVerifier ("" , & oidc.StaticKeySet {
418+ verifier := oidc .NewVerifier ("https://coder.com " , & oidc.StaticKeySet {
423419 PublicKeys : []crypto.PublicKey {key .Public ()},
424420 }, & oidc.Config {
425421 SkipClientIDCheck : true ,
@@ -480,3 +476,7 @@ func oidcCallback(t *testing.T, client *codersdk.Client) *http.Response {
480476 t .Log (string (data ))
481477 return res
482478}
479+
480+ func i64ptr (i int64 ) * int64 {
481+ return & i
482+ }
0 commit comments