feat: Allow multiple OIDC domains (#5210)

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
2025-07-08 11:39:50 +00:00 · 2022-12-06 05:20:53 +11:00
parent 02bb052d09
commit 061635c36d
8 changed files with 30 additions and 19 deletions
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -192,8 +192,8 @@ type OIDCConfig struct {
 	httpmw.OAuth2Config

 	Verifier *oidc.IDTokenVerifier
-	// EmailDomain is the domain to enforce when a user authenticates.
-	EmailDomain  string
+	// EmailDomains are the domains to enforce when a user authenticates.
+	EmailDomain  []string
 	AllowSignups bool
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
@ -289,10 +289,17 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 		username = httpapi.UsernameFrom(username)
 	}
-	if api.OIDCConfig.EmailDomain != "" {
-		if !strings.HasSuffix(strings.ToLower(email), strings.ToLower(api.OIDCConfig.EmailDomain)) {
+	if len(api.OIDCConfig.EmailDomain) > 0 {
+		ok = false
+		for _, domain := range api.OIDCConfig.EmailDomain {
+			if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) {
+				ok = true
+				break
+			}
+		}
+		if !ok {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-				Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain),
+				Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain),
 			})
 			return
 		}
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -482,7 +482,7 @@ func TestUserOIDC(t *testing.T) {
 		Name                string
 		Claims              jwt.MapClaims
 		AllowSignups        bool
-		EmailDomain         string
+		EmailDomain         []string
 		Username            string
 		AvatarURL           string
 		StatusCode          int
@ -528,8 +528,10 @@ func TestUserOIDC(t *testing.T) {
 			"email_verified": true,
 		},
 		AllowSignups: true,
-		EmailDomain:  "coder.com",
-		StatusCode:   http.StatusForbidden,
+		EmailDomain: []string{
+			"coder.com",
+		},
+		StatusCode: http.StatusForbidden,
 	}, {
 		Name: "EmailDomainCaseInsensitive",
 		Claims: jwt.MapClaims{
@ -537,8 +539,10 @@ func TestUserOIDC(t *testing.T) {
 			"email_verified": true,
 		},
 		AllowSignups: true,
-		EmailDomain:  "kwc.io",
-		StatusCode:   http.StatusTemporaryRedirect,
+		EmailDomain: []string{
+			"kwc.io",
+		},
+		StatusCode: http.StatusTemporaryRedirect,
 	}, {
 		Name:         "EmptyClaims",
 		Claims:       jwt.MapClaims{},