oidc: skip email_verified check when claim is absent#388
Open
jflecool2 wants to merge 1 commit into
Open
Conversation
Some IdPs (notably Azure/Entra ID via Cloudflare Access) never include the email_verified claim in the id_token at all, rather than setting it to false. The previous bool field defaulted to false when absent, which permanently blocked first-time login for every user on those providers. Change EmailVerified from bool to *bool so JSON unmarshalling produces nil (not false) when the claim is missing. The gate now only rejects when the IdP explicitly asserts email_verified=false; a nil value skips the check entirely. Behaviour is unchanged for IdPs that do include the claim.
Contributor
|
Hi @jflecool2 , thanks for the report, I'm investigating ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AI disclamer
As I was losing my mind over my OIDC integration not working, I interacted with Claude Sonnet 5 to debug and then to fix the issue I was having. This is mostly AI's work, but I double checked. It look sound, and it was unit tested correctly. I hope this is useful to Notifuse.
Problem
Some IdPs — notably Azure/Entra ID surfaced via Cloudflare Access — never include the email_verified claim in the id_token at all. The previous code decoded the claim as a plain bool, which Go JSON-unmarshals to false when the key is missing. This caused every first-time login to be rejected with oidc_error=email_unverified, making the OIDC integration permanently non-functional with those providers despite correct configuration.
Fix
Change EmailVerified from bool to *bool in the claims struct. JSON unmarshalling now produces nil when the claim is absent. The gate is updated to:
nil (claim absent) → skip the check, proceed with login
false (claim explicitly set to unverified) → reject as before
true (claim present and verified) → proceed as before
No configuration changes, no migrations, no breaking changes. Behaviour is identical for any IdP that already includes email_verified.
Testing
Existing tests updated for the *bool signature change. New test TestResolve_FirstLogin_EmailVerifiedAbsent_Allowed covers the nil/absent case.