From 3f3e11ca4c0c7c848d177e5f43b66b51b4aa404b Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@carberry.com>
Date: Mon, 17 Oct 2022 18:02:45 +0000
Subject: [PATCH] fix: Allow OIDC with the username as email

Fixes #4472.
---
 coderd/userauth.go      | 27 ++++++++++++++++++---------
 coderd/userauth_test.go |  9 +++++++++
 2 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index 4dd67844cfb0b..7a18b9790df04 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/mail"
 	"strconv"
 	"strings"
 
@@ -219,12 +220,25 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	usernameRaw, ok := claims["preferred_username"]
+	var username string
+	if ok {
+		username, _ = usernameRaw.(string)
+	}
 	emailRaw, ok := claims["email"]
 	if !ok {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "No email found in OIDC payload!",
-		})
-		return
+		// Email is an optional claim in OIDC and
+		// instead the email is frequently sent in
+		// "preferred_username". See:
+		// https://github.com/coder/coder/issues/4472
+		_, err = mail.ParseAddress(username)
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "No email found in OIDC payload!",
+			})
+			return
+		}
+		emailRaw = username
 	}
 	email, ok := emailRaw.(string)
 	if !ok {
@@ -243,11 +257,6 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	usernameRaw, ok := claims["preferred_username"]
-	var username string
-	if ok {
-		username, _ = usernameRaw.(string)
-	}
 	// The username is a required property in Coder. We make a best-effort
 	// attempt at using what the claims provide, but if that fails we will
 	// generate a random username.
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index 42ac974d4e5ee..9643351032a88 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -425,6 +425,15 @@ func TestUserOIDC(t *testing.T) {
 		Username:     "kyle",
 		AllowSignups: true,
 		StatusCode:   http.StatusTemporaryRedirect,
+	}, {
+		// See: https://github.com/coder/coder/issues/4472
+		Name: "UsernameIsEmail",
+		Claims: jwt.MapClaims{
+			"preferred_username": "kyle@kwc.io",
+		},
+		Username:     "kyle",
+		AllowSignups: true,
+		StatusCode:   http.StatusTemporaryRedirect,
 	}, {
 		Name: "WithPicture",
 		Claims: jwt.MapClaims{

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/4594.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/4594.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/4594.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/4594.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>