From 0b9fdb7a16f0ff5e0debb383747f500285852ec4 Mon Sep 17 00:00:00 2001 From: Justin Angel Date: Sun, 2 Nov 2025 10:17:01 -0500 Subject: [PATCH] allow unverified email usage --- hscontrol/oidc.go | 14 ++++++++------ hscontrol/types/config.go | 12 +++++++----- hscontrol/types/users.go | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/hscontrol/oidc.go b/hscontrol/oidc.go index 84d00712..e732eb47 100644 --- a/hscontrol/oidc.go +++ b/hscontrol/oidc.go @@ -281,11 +281,13 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler( util.LogErr(err, "could not get userinfo; only using claims from id token") } - // The user claims are now updated from the userinfo endpoint so we can verify the user - // against allowed emails, email domains, and groups. - if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil { - httpError(writer, err) - return + if bool(claims.EmailVerified) || a.cfg.UseUnverifiedEmail { + // The user claims are now updated from the userinfo endpoint so we can verify the user + // against allowed emails, email domains, and groups. + if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil { + httpError(writer, err) + return + } } if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil { @@ -505,7 +507,7 @@ func (a *AuthProviderOIDC) createOrUpdateUserFromClaim( user = &types.User{} } - user.FromClaim(claims) + user.FromClaim(claims, a.cfg.UseUnverifiedEmail) if newUser { user, c, err = a.h.state.CreateUser(*user) diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go index cdae2407..5d9f950f 100644 --- a/hscontrol/types/config.go +++ b/hscontrol/types/config.go @@ -328,6 +328,7 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("oidc.use_expiry_from_token", false) viper.SetDefault("oidc.pkce.enabled", false) viper.SetDefault("oidc.pkce.method", "S256") + viper.SetDefault("oidc.use_unverified_email", false) viper.SetDefault("logtail.enabled", false) viper.SetDefault("randomize_client_port", false) @@ -384,11 +385,12 @@ func validateServerConfig() error { if err := validatePKCEMethod(viper.GetString("oidc.pkce.method")); err != nil { return err } - if viper.IsSet("oidc.use_unverified_email") { - log.Warn().Msg("unverified emails will be accepted during oidc authentication (oidc.use_unverified_email=true)") - } else { - log.Warn().Msg("only verified emails will be accepted during oidc authentication (oidc.use_unverified_email=false)") - } + } + + if viper.IsSet("oidc.use_unverified_email") { + log.Warn().Msg("unverified emails will be accepted during oidc authentication (oidc.use_unverified_email=true)") + } else { + log.Warn().Msg("only verified emails will be accepted during oidc authentication (oidc.use_unverified_email=false)") } depr.Log() diff --git a/hscontrol/types/users.go b/hscontrol/types/users.go index b7cb1038..15340b33 100644 --- a/hscontrol/types/users.go +++ b/hscontrol/types/users.go @@ -324,7 +324,7 @@ type OIDCUserInfo struct { // FromClaim overrides a User from OIDC claims. // All fields will be updated, except for the ID. -func (u *User) FromClaim(claims *OIDCClaims) { +func (u *User) FromClaim(claims *OIDCClaims, useUnverifiedEmail bool) { err := util.ValidateUsername(claims.Username) if err == nil { u.Name = claims.Username @@ -332,7 +332,7 @@ func (u *User) FromClaim(claims *OIDCClaims) { log.Debug().Caller().Err(err).Msgf("Username %s is not valid", claims.Username) } - if claims.EmailVerified { + if claims.EmailVerified || FlexibleBoolean(useUnverifiedEmail) { _, err = mail.ParseAddress(claims.Email) if err == nil { u.Email = claims.Email