Skip to content

Provide mechanism to adjust email_verified requirement for OIDC #3954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dcarrion87 opened this issue Sep 8, 2022 · 4 comments · Fixed by #3957
Closed

Provide mechanism to adjust email_verified requirement for OIDC #3954

dcarrion87 opened this issue Sep 8, 2022 · 4 comments · Fixed by #3957
Assignees
@kylecarbs

Comments

@dcarrion87
Copy link
Contributor

dcarrion87 commented Sep 8, 2022
edited
Loading 

{"message":"Failed to extract OIDC claims.","detail":"json: cannot unmarshal string into Go struct field .email_verified of type bool"}
  • I don't see how to configure AzureAD to have that come through as a bool instead of string.

Ideally there would be ability to disable/adjust this verification option based on OIDC provider. At the moment it just fails without option:

coder/coderd/userauth.go

Line 227 in ad24404

if !claims.Verified {

@kylecarbs
Copy link
Member

Makes sense. I'll fix this today and publish a new release!

@kylecarbs kylecarbs self-assigned this Sep 8, 2022
@kylecarbs
Copy link
Member

@dcarrion87 I'm making this only respect email_verified if it's provided... that seems like it should work!

kylecarbs added a commit that referenced this issue Sep 8, 2022
@kylecarbs
fix: Optionally consume email_verified if it's provided
5e0e100 
This reduces our OIDC requirement claims to only `email`. If `email_verified`
is provided and is `false`, we will block authentication.

Fixes #3954.
@kylecarbs kylecarbs mentioned this issue Sep 8, 2022
Merged
@kylecarbs
Copy link
Member

@dcarrion87 v0.8.14 is coming out now! https://github.com/coder/coder/runs/8251205763?check_suite_focus=true

@kylecarbs
Copy link
Member

It's out 🥳

@johnstcn johnstcn mentioned this issue Nov 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kylecarbs kylecarbs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Optionally consume email_verified if it's provided coder/coder
2 participants
@dcarrion87 @kylecarbs