fix: Remove case sensitivity check in OIDC email domain (#4534)

Fixes #4533.
2025-07-15 22:20:27 +00:00 · 2022-10-13 10:51:54 -05:00
parent 0d0ea981da
commit 574e5d37c7
2 changed files with 10 additions and 1 deletions
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -261,7 +261,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		username = httpapi.UsernameFrom(username)
 	}
 	if api.OIDCConfig.EmailDomain != "" {
-		if !strings.HasSuffix(email, api.OIDCConfig.EmailDomain) {
+		if !strings.HasSuffix(strings.ToLower(email), strings.ToLower(api.OIDCConfig.EmailDomain)) {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 				Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain),
 			})
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -373,6 +373,15 @@ func TestUserOIDC(t *testing.T) {
 		AllowSignups: true,
 		EmailDomain:  "coder.com",
 		StatusCode:   http.StatusForbidden,
+	}, {
+		Name: "EmailDomainCaseInsensitive",
+		Claims: jwt.MapClaims{
+			"email":          "kyle@KWC.io",
+			"email_verified": true,
+		},
+		AllowSignups: true,
+		EmailDomain:  "kwc.io",
+		StatusCode:   http.StatusTemporaryRedirect,
 	}, {
 		Name:         "EmptyClaims",
 		Claims:       jwt.MapClaims{},