Skip to content

Commit

Permalink
OIDC: ensure that email_veridied is set by default
Browse files Browse the repository at this point in the history
  • Loading branch information
Florent FAYOLLE committed Nov 22, 2023
1 parent 570e403 commit 9b0f2c3
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion app/server/lib/OIDCConfig.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@
* env GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
* If set to "true", on logout, there won't be any attempt to call the IdP's end_session_endpoint
* (the user will remain logged in in the IdP).
* env GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED
* If set to "true", the user will be allowed to login even if the email is not verified by the IDP.
* Defaults to false.
*
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
* at:
Expand Down Expand Up @@ -61,6 +64,7 @@ export class OIDCConfig {
private _namePropertyKey?: string;
private _emailPropertyKey: string;
private _skipEndSessionEndpoint: boolean;
private _ignoreEmailVerified: boolean;

public constructor() {
}
Expand Down Expand Up @@ -95,6 +99,11 @@ export class OIDCConfig {
defaultValue: false,
})!;

this._ignoreEmailVerified = section.flag('forceEmailVerified').readBool({
envVar: 'GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED',
defaultValue: false,
})!;

const issuer = await Issuer.discover(issuerUrl);
this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
this._client = new issuer.Client({
Expand Down Expand Up @@ -134,6 +143,11 @@ export class OIDCConfig {
);

const userInfo = await this._client.userinfo(tokenSet);

if (!this._ignoreEmailVerified && userInfo.email_verified !== true) {
throw new Error(`OIDCConfig: email not verified for ${userInfo.email}`);
}

const profile = this._makeUserProfileFromUserInfo(userInfo);
log.info(`OIDCConfig: got OIDC response for ${profile.email} (${profile.name}) redirecting to ${targetUrl}`);

Expand Down Expand Up @@ -204,7 +218,6 @@ export class OIDCConfig {
return {
email: String(userInfo[ this._emailPropertyKey ]),
name: this._extractName(userInfo)

};
}

Expand Down

0 comments on commit 9b0f2c3

Please sign in to comment.