Skip to content

oidc: skip email_verified check when claim is absent#388

Open
jflecool2 wants to merge 1 commit into
Notifuse:mainfrom
jflecool2:fix/oidc-email-verified-absent
Open

oidc: skip email_verified check when claim is absent#388
jflecool2 wants to merge 1 commit into
Notifuse:mainfrom
jflecool2:fix/oidc-email-verified-absent

Conversation

@jflecool2

Copy link
Copy Markdown

AI disclamer

As I was losing my mind over my OIDC integration not working, I interacted with Claude Sonnet 5 to debug and then to fix the issue I was having. This is mostly AI's work, but I double checked. It look sound, and it was unit tested correctly. I hope this is useful to Notifuse.

Problem

Some IdPs — notably Azure/Entra ID surfaced via Cloudflare Access — never include the email_verified claim in the id_token at all. The previous code decoded the claim as a plain bool, which Go JSON-unmarshals to false when the key is missing. This caused every first-time login to be rejected with oidc_error=email_unverified, making the OIDC integration permanently non-functional with those providers despite correct configuration.

Fix

Change EmailVerified from bool to *bool in the claims struct. JSON unmarshalling now produces nil when the claim is absent. The gate is updated to:
nil (claim absent) → skip the check, proceed with login
false (claim explicitly set to unverified) → reject as before
true (claim present and verified) → proceed as before
No configuration changes, no migrations, no breaking changes. Behaviour is identical for any IdP that already includes email_verified.

Testing

Existing tests updated for the *bool signature change. New test TestResolve_FirstLogin_EmailVerifiedAbsent_Allowed covers the nil/absent case.

Some IdPs (notably Azure/Entra ID via Cloudflare Access) never include
the email_verified claim in the id_token at all, rather than setting it
to false. The previous bool field defaulted to false when absent, which
permanently blocked first-time login for every user on those providers.

Change EmailVerified from bool to *bool so JSON unmarshalling produces
nil (not false) when the claim is missing. The gate now only rejects
when the IdP explicitly asserts email_verified=false; a nil value skips
the check entirely.

Behaviour is unchanged for IdPs that do include the claim.
@pierre-b

Copy link
Copy Markdown
Contributor

Hi @jflecool2 , thanks for the report, I'm investigating !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants