📫 refactor: OpenID Email Claim Fallback (#10296)

* 📫 refactor: Enhance OpenID email Fallback * Updated email retrieval logic to use preferred_username or upn if email is not available. * Adjusted logging and user data assignment to reflect the new email handling approach. * Ensured email domain validation checks the correct email source. * 🔄 refactor: Update Email Domain Validation Logic * Modified `isEmailDomainAllowed` function to return true for falsy emails and missing domain restrictions. * Added new test cases to cover scenarios with and without domain restrictions. * Ensured proper validation when domain restrictions are present.
2025-12-16 16:30:15 +01:00 · 2025-10-29 12:57:43 -04:00 · 2025-10-29 12:57:43 -04:00 · 861ef98d29
commit 861ef98d29
parent 05c706137e
3 changed files with 29 additions and 15 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -357,16 +357,18 @@ async function setupOpenId() {
          };

          const appConfig = await getAppConfig();
-          if (!isEmailDomainAllowed(userinfo.email, appConfig?.registration?.allowedDomains)) {
+          /** Azure AD sometimes doesn't return email, use preferred_username as fallback */
+          const email = userinfo.email || userinfo.preferred_username || userinfo.upn;
+          if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
            logger.error(
-              `[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${userinfo.email}]`,
+              `[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${email}]`,
            );
            return done(null, false, { message: 'Email domain not allowed' });
          }

          const result = await findOpenIDUser({
            findUser,
-            email: claims.email,
+            email: email,
            openidId: claims.sub,
            idOnTheSource: claims.oid,
            strategyName: 'openidStrategy',
@ -433,7 +435,7 @@ async function setupOpenId() {
              provider: 'openid',
              openidId: userinfo.sub,
              username,
-              email: userinfo.email || '',
+              email: email || '',
              emailVerified: userinfo.email_verified || false,
              name: fullName,
              idOnTheSource: userinfo.oid,
@ -447,8 +449,8 @@ async function setupOpenId() {
            user.username = username;
            user.name = fullName;
            user.idOnTheSource = userinfo.oid;
-            if (userinfo.email && userinfo.email !== user.email) {
-              user.email = userinfo.email;
+            if (email && email !== user.email) {
+              user.email = email;
              user.emailVerified = userinfo.email_verified || false;
            }
          }