From bdfca925a37e45357be3311312ce7f7df487e71b Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Sat, 3 Jul 2021 13:40:34 -0700 Subject: [PATCH] Handle UPN fallback when profileURL isn't set --- providers/adfs.go | 7 ++----- providers/adfs_test.go | 11 +++++++++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/providers/adfs.go b/providers/adfs.go index ceecdb24..797c8566 100644 --- a/providers/adfs.go +++ b/providers/adfs.go @@ -84,11 +84,8 @@ func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string) string { // from the claims. If Email is missing, falls back to ADFS `upn` claim. func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error { err := p.oidcEnrichFunc(ctx, s) - if err != nil { - return err - } - - if s.Email == "" { + if err != nil || s.Email == "" { + // OIDC only errors if email is missing return p.fallbackUPN(ctx, s) } return nil diff --git a/providers/adfs_test.go b/providers/adfs_test.go index adbec455..40a11b57 100644 --- a/providers/adfs_test.go +++ b/providers/adfs_test.go @@ -5,6 +5,7 @@ import ( "crypto/rand" "crypto/rsa" "encoding/base64" + "errors" "net/http" "net/http/httptest" "net/url" @@ -253,6 +254,16 @@ var _ = Describe("ADFS Provider Tests", func() { Expect(err).ToNot(HaveOccurred()) Expect(session.Email).To(Equal("upn@company.com")) }) + + It("falls back to UPN claim on errors", func() { + p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error { + return errors.New("neither the id_token nor the profileURL set an email") + } + + err := p.EnrichSession(context.Background(), session) + Expect(err).ToNot(HaveOccurred()) + Expect(session.Email).To(Equal("upn@company.com")) + }) }) Describe("RefreshSession", func() {