mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
OIDC: ensure that email_veridied is set by default (#765)
Co-authored-by: Florent FAYOLLE <florent.fayolle@beta.gouv.fr>
This commit is contained in:
parent
570e4032a4
commit
1fec674d28
@ -29,6 +29,9 @@
|
||||
* env GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
|
||||
* If set to "true", on logout, there won't be any attempt to call the IdP's end_session_endpoint
|
||||
* (the user will remain logged in in the IdP).
|
||||
* env GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED
|
||||
* If set to "true", the user will be allowed to login even if the email is not verified by the IDP.
|
||||
* Defaults to false.
|
||||
*
|
||||
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
|
||||
* at:
|
||||
@ -61,6 +64,7 @@ export class OIDCConfig {
|
||||
private _namePropertyKey?: string;
|
||||
private _emailPropertyKey: string;
|
||||
private _skipEndSessionEndpoint: boolean;
|
||||
private _ignoreEmailVerified: boolean;
|
||||
|
||||
public constructor() {
|
||||
}
|
||||
@ -95,6 +99,11 @@ export class OIDCConfig {
|
||||
defaultValue: false,
|
||||
})!;
|
||||
|
||||
this._ignoreEmailVerified = section.flag('ignoreEmailVerified').readBool({
|
||||
envVar: 'GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED',
|
||||
defaultValue: false,
|
||||
})!;
|
||||
|
||||
const issuer = await Issuer.discover(issuerUrl);
|
||||
this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
|
||||
this._client = new issuer.Client({
|
||||
@ -134,6 +143,11 @@ export class OIDCConfig {
|
||||
);
|
||||
|
||||
const userInfo = await this._client.userinfo(tokenSet);
|
||||
|
||||
if (!this._ignoreEmailVerified && userInfo.email_verified !== true) {
|
||||
throw new Error(`OIDCConfig: email not verified for ${userInfo.email}`);
|
||||
}
|
||||
|
||||
const profile = this._makeUserProfileFromUserInfo(userInfo);
|
||||
log.info(`OIDCConfig: got OIDC response for ${profile.email} (${profile.name}) redirecting to ${targetUrl}`);
|
||||
|
||||
@ -204,7 +218,6 @@ export class OIDCConfig {
|
||||
return {
|
||||
email: String(userInfo[ this._emailPropertyKey ]),
|
||||
name: this._extractName(userInfo)
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user