fix: Optionally consume email_verified if it's provided (#3957)

This reduces our OIDC requirement claims to only `email`. If `email_verified` is provided and is `false`, we will block authentication. Fixes #3954.
2025-07-03 16:13:58 +00:00 · 2022-09-08 09:06:00 -05:00
parent bb4a681833
commit e1afec6db4
2 changed files with 49 additions and 20 deletions
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -302,11 +302,20 @@ func TestUserOIDC(t *testing.T) {
 		AvatarURL    string
 		StatusCode   int
 	}{{
-		Name: "EmailNotVerified",
+		Name: "EmailOnly",
 		Claims: jwt.MapClaims{
 			"email": "kyle@kwc.io",
 		},
 		AllowSignups: true,
+		StatusCode:   http.StatusTemporaryRedirect,
+		Username:     "kyle",
+	}, {
+		Name: "EmailNotVerified",
+		Claims: jwt.MapClaims{
+			"email":          "kyle@kwc.io",
+			"email_verified": false,
+		},
+		AllowSignups: true,
 		StatusCode:   http.StatusForbidden,
 	}, {
 		Name: "NotInRequiredEmailDomain",