Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-10 01:20:58 +01:00
Code Issues Projects Releases Wiki Activity

allow unverified email usage

Browse Source
This commit is contained in:
Justin Angel 2025-11-02 10:17:01 -05:00
parent f646b6bd80
commit 0b9fdb7a16
3 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hscontrol/oidc.go
View File

@ -281,11 +281,13 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
util.LogErr(err, "could not get userinfo; only using claims from id token") util.LogErr(err, "could not get userinfo; only using claims from id token")
} }
// The user claims are now updated from the userinfo endpoint so we can verify the user if bool(claims.EmailVerified) || a.cfg.UseUnverifiedEmail {
// against allowed emails, email domains, and groups. // The user claims are now updated from the userinfo endpoint so we can verify the user
if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil { // against allowed emails, email domains, and groups.
httpError(writer, err) if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
return httpError(writer, err)
return
}
} }
if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil { if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil {
@ -505,7 +507,7 @@ func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
user = &types.User{} user = &types.User{}
} }
user.FromClaim(claims) user.FromClaim(claims, a.cfg.UseUnverifiedEmail)
if newUser { if newUser {
user, c, err = a.h.state.CreateUser(*user) user, c, err = a.h.state.CreateUser(*user)

12
hscontrol/types/config.go
View File

@ -328,6 +328,7 @@ func LoadConfig(path string, isFile bool) error {
viper.SetDefault("oidc.use_expiry_from_token", false) viper.SetDefault("oidc.use_expiry_from_token", false)
viper.SetDefault("oidc.pkce.enabled", false) viper.SetDefault("oidc.pkce.enabled", false)
viper.SetDefault("oidc.pkce.method", "S256") viper.SetDefault("oidc.pkce.method", "S256")
viper.SetDefault("oidc.use_unverified_email", false)
viper.SetDefault("logtail.enabled", false) viper.SetDefault("logtail.enabled", false)
viper.SetDefault("randomize_client_port", false) viper.SetDefault("randomize_client_port", false)
@ -384,11 +385,12 @@ func validateServerConfig() error {
if err := validatePKCEMethod(viper.GetString("oidc.pkce.method")); err != nil { if err := validatePKCEMethod(viper.GetString("oidc.pkce.method")); err != nil {
return err return err
} }
if viper.IsSet("oidc.use_unverified_email") { }
log.Warn().Msg("unverified emails will be accepted during oidc authentication (oidc.use_unverified_email=true)")
} else { if viper.IsSet("oidc.use_unverified_email") {
log.Warn().Msg("only verified emails will be accepted during oidc authentication (oidc.use_unverified_email=false)") log.Warn().Msg("unverified emails will be accepted during oidc authentication (oidc.use_unverified_email=true)")
} } else {
log.Warn().Msg("only verified emails will be accepted during oidc authentication (oidc.use_unverified_email=false)")
} }
depr.Log() depr.Log()

4
hscontrol/types/users.go
View File

@ -324,7 +324,7 @@ type OIDCUserInfo struct {
// FromClaim overrides a User from OIDC claims. // FromClaim overrides a User from OIDC claims.
// All fields will be updated, except for the ID. // All fields will be updated, except for the ID.
func (u *User) FromClaim(claims *OIDCClaims) { func (u *User) FromClaim(claims *OIDCClaims, useUnverifiedEmail bool) {
err := util.ValidateUsername(claims.Username) err := util.ValidateUsername(claims.Username)
if err == nil { if err == nil {
u.Name = claims.Username u.Name = claims.Username
@ -332,7 +332,7 @@ func (u *User) FromClaim(claims *OIDCClaims) {
log.Debug().Caller().Err(err).Msgf("Username %s is not valid", claims.Username) log.Debug().Caller().Err(err).Msgf("Username %s is not valid", claims.Username)
} }
if claims.EmailVerified { if claims.EmailVerified || FlexibleBoolean(useUnverifiedEmail) {
_, err = mail.ParseAddress(claims.Email) _, err = mail.ParseAddress(claims.Email)
if err == nil { if err == nil {
u.Email = claims.Email u.Email = claims.Email