Skip to content

Issues getting email with AzureAD OIDC integration #4472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dcarrion87 opened this issue Oct 11, 2022 · 5 comments · Fixed by #4594
Closed

Issues getting email with AzureAD OIDC integration #4472

dcarrion87 opened this issue Oct 11, 2022 · 5 comments · Fixed by #4594
Assignees
@kylecarbs
Labels
api Area: HTTP API

Comments

@dcarrion87
Copy link
Contributor

dcarrion87 commented Oct 11, 2022
edited
Loading

We've been having issues with onboarding users via AzureAD OIDC configuration which results in this error:

coder/coderd/userauth.go

Line 225 in adcf883

Message: "No email found in OIDC payload!",

When testing openid profile email by default an id_token comes back with the following.

{
...
  "name": "JV2 User",
  "preferred_username": "jv2user@testdomain.com",
...
}

Have to manually add the email address field to the user in AzureAD portal for this to come back:

{
...
  "email": "jv2user@testdomain.com",
  "name": "JV2 User",
  "preferred_username": "jv2user@testdomain.com",
...
}

I'm just wondering if it should revert back to using preferred_username email address component if email is not there?

Interesting note at: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v10-and-v20-optional-claims-set

This value is included by default if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope. This value isn't guaranteed to be correct, and is mutable over time - never use it for authorization or to save data for a user. For more information, see Validate the user has permission to access this data. If you require an addressable email address in your app, request this data from the user directly, using this claim as a suggestion or pre-fill in your UX.

This is curious as I would have thought CoderV1 would have had similar issues?
@kylecarbs
Copy link
Member

We have a specific edge-case for this in v1, and I suppose we should add it in v2 as well!

@kylecarbs kylecarbs self-assigned this Oct 11, 2022
@kylecarbs kylecarbs added bug api Area: HTTP API labels Oct 11, 2022
@dcarrion87
Copy link
Contributor Author

dcarrion87 commented Oct 11, 2022
edited
Loading

Thanks @kylecarbs. Still investigating our side as well to understand why it's sometimes not there. But good to know that there's edge cases previously encountered.

@f0ssel
Copy link
Contributor

f0ssel commented Oct 11, 2022

Yes the OIDC spec says that the email field is optional so we should be able to handle not having it in general. 👍

@dcarrion87
Copy link
Contributor Author

FYI, we were able to resolve this with explictly setting email optional claim for the app in the affected tenant.

kylecarbs added a commit that referenced this issue Oct 17, 2022
@kylecarbs
fix: Allow OIDC with the username as email
3f3e11c 
Fixes #4472.
@kylecarbs kylecarbs mentioned this issue Oct 17, 2022
Merged
kylecarbs added a commit that referenced this issue Oct 17, 2022
@kylecarbs
fix: Allow OIDC with the username as email (#4594)
618c6dc 
Fixes #4472.
@dcarrion87
Copy link
Contributor Author

Thanks @kylecarbs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kylecarbs kylecarbs

Labels
api Area: HTTP API
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Allow OIDC with the username as email coder/coder
3 participants
@dcarrion87 @kylecarbs @f0ssel