From d72d5d0e8eef814553466eb0b1daf4568816274d Mon Sep 17 00:00:00 2001
From: Carter Roeser <carter@cjr.app>
Date: Wed, 7 Aug 2024 11:39:51 -0700
Subject: [PATCH] feat: Add OAuth Email Claim Variable

Add an `OAUTH_EMAIL_CLAIM` variable to override the default "email" claim value.
---
 backend/apps/webui/main.py | 2 ++
 backend/config.py          | 6 ++++++
 backend/main.py            | 3 ++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/apps/webui/main.py b/backend/apps/webui/main.py
index a0b9f5008..3c387842d 100644
--- a/backend/apps/webui/main.py
+++ b/backend/apps/webui/main.py
@@ -46,6 +46,7 @@ from config import (
     AppConfig,
     OAUTH_USERNAME_CLAIM,
     OAUTH_PICTURE_CLAIM,
+    OAUTH_EMAIL_CLAIM,
 )
 
 from apps.socket.main import get_event_call, get_event_emitter
@@ -84,6 +85,7 @@ app.state.config.ENABLE_COMMUNITY_SHARING = ENABLE_COMMUNITY_SHARING
 
 app.state.config.OAUTH_USERNAME_CLAIM = OAUTH_USERNAME_CLAIM
 app.state.config.OAUTH_PICTURE_CLAIM = OAUTH_PICTURE_CLAIM
+app.state.config.OAUTH_EMAIL_CLAIM = OAUTH_EMAIL_CLAIM
 
 app.state.MODELS = {}
 app.state.TOOLS = {}
diff --git a/backend/config.py b/backend/config.py
index 30a970012..7d6c0bd7c 100644
--- a/backend/config.py
+++ b/backend/config.py
@@ -433,6 +433,12 @@ OAUTH_PICTURE_CLAIM = PersistentConfig(
     os.environ.get("OAUTH_PICTURE_CLAIM", "picture"),
 )
 
+OAUTH_EMAIL_CLAIM = PersistentConfig(
+    "OAUTH_EMAIL_CLAIM",
+    "oauth.oidc.email_claim",
+    os.environ.get("OAUTH_EMAIL_CLAIM", "email"),
+)
+
 
 def load_oauth_providers():
     OAUTH_PROVIDERS.clear()
diff --git a/backend/main.py b/backend/main.py
index d7bff888e..6e4265a5c 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -2158,7 +2158,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
         log.warning(f"OAuth callback failed, sub is missing: {user_data}")
         raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
     provider_sub = f"{provider}@{sub}"
-    email = user_data.get("email", "").lower()
+    email_claim = webui_app.state.config.OAUTH_EMAIL_CLAIM
+    email = user_data.get(email_claim, "").lower()
     # We currently mandate that email addresses are provided
     if not email:
         log.warning(f"OAuth callback failed, email is missing: {user_data}")