From 574e5d37c76cb0b154ad62ccd4582e588235b15a Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@coder.com>
Date: Thu, 13 Oct 2022 10:51:54 -0500
Subject: [PATCH] fix: Remove case sensitivity check in OIDC email domain
 (#4534)

Fixes #4533.
---
 coderd/userauth.go      | 2 +-
 coderd/userauth_test.go | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index 8e3b02565a..4dd67844cf 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -261,7 +261,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		username = httpapi.UsernameFrom(username)
 	}
 	if api.OIDCConfig.EmailDomain != "" {
-		if !strings.HasSuffix(email, api.OIDCConfig.EmailDomain) {
+		if !strings.HasSuffix(strings.ToLower(email), strings.ToLower(api.OIDCConfig.EmailDomain)) {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 				Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain),
 			})
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index e7b8286348..42ac974d4e 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -373,6 +373,15 @@ func TestUserOIDC(t *testing.T) {
 		AllowSignups: true,
 		EmailDomain:  "coder.com",
 		StatusCode:   http.StatusForbidden,
+	}, {
+		Name: "EmailDomainCaseInsensitive",
+		Claims: jwt.MapClaims{
+			"email":          "kyle@KWC.io",
+			"email_verified": true,
+		},
+		AllowSignups: true,
+		EmailDomain:  "kwc.io",
+		StatusCode:   http.StatusTemporaryRedirect,
 	}, {
 		Name:         "EmptyClaims",
 		Claims:       jwt.MapClaims{},