From d72d5d0e8eef814553466eb0b1daf4568816274d Mon Sep 17 00:00:00 2001 From: Carter Roeser Date: Wed, 7 Aug 2024 11:39:51 -0700 Subject: [PATCH] feat: Add OAuth Email Claim Variable Add an `OAUTH_EMAIL_CLAIM` variable to override the default "email" claim value. --- backend/apps/webui/main.py | 2 ++ backend/config.py | 6 ++++++ backend/main.py | 3 ++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/backend/apps/webui/main.py b/backend/apps/webui/main.py index a0b9f5008..3c387842d 100644 --- a/backend/apps/webui/main.py +++ b/backend/apps/webui/main.py @@ -46,6 +46,7 @@ from config import ( AppConfig, OAUTH_USERNAME_CLAIM, OAUTH_PICTURE_CLAIM, + OAUTH_EMAIL_CLAIM, ) from apps.socket.main import get_event_call, get_event_emitter @@ -84,6 +85,7 @@ app.state.config.ENABLE_COMMUNITY_SHARING = ENABLE_COMMUNITY_SHARING app.state.config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM app.state.config.OAUTH_PICTURE_CLAIM = OAUTH_PICTURE_CLAIM +app.state.config.OAUTH_EMAIL_CLAIM = OAUTH_EMAIL_CLAIM app.state.MODELS = {} app.state.TOOLS = {} diff --git a/backend/config.py b/backend/config.py index 30a970012..7d6c0bd7c 100644 --- a/backend/config.py +++ b/backend/config.py @@ -433,6 +433,12 @@ OAUTH_PICTURE_CLAIM = PersistentConfig( os.environ.get("OAUTH_PICTURE_CLAIM", "picture"), ) +OAUTH_EMAIL_CLAIM = PersistentConfig( + "OAUTH_EMAIL_CLAIM", + "oauth.oidc.email_claim", + os.environ.get("OAUTH_EMAIL_CLAIM", "email"), +) + def load_oauth_providers(): OAUTH_PROVIDERS.clear() diff --git a/backend/main.py b/backend/main.py index d7bff888e..6e4265a5c 100644 --- a/backend/main.py +++ b/backend/main.py @@ -2158,7 +2158,8 @@ async def oauth_callback(provider: str, request: Request, response: Response): log.warning(f"OAuth callback failed, sub is missing: {user_data}") raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED) provider_sub = f"{provider}@{sub}" - email = user_data.get("email", "").lower() + email_claim = webui_app.state.config.OAUTH_EMAIL_CLAIM + email = user_data.get(email_claim, "").lower() # We currently mandate that email addresses are provided if not email: log.warning(f"OAuth callback failed, email is missing: {user_data}")