Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check oidc email_verified claim #12140

Merged
merged 7 commits into from
May 2, 2022
Merged

Check oidc email_verified claim #12140

merged 7 commits into from
May 2, 2022

Conversation

xacrimon
Copy link
Contributor

@xacrimon xacrimon commented Apr 21, 2022
edited
Loading

Currently, we do not check the email_verified claim when validating OIDC callbacks.
This is not always set, but if it's set to false, the OIDC provider does not guarantee the authenticity of the email address and Teleport should reject it.

This will only be manually tested.

@xacrimon xacrimon marked this pull request as ready for review April 21, 2022 08:54
@github-actions github-actions bot requested review from gabrielcorado and zmb3 April 21, 2022 08:54
@zmb3
Copy link
Collaborator

zmb3 commented Apr 21, 2022

Can we add test coverage?

@xacrimon
Copy link
Contributor Author

xacrimon commented Apr 25, 2022
edited
Loading

@zmb3 This seems to work fine on Google and Okta after manual testing.

gabrielcorado
gabrielcorado reviewed Apr 26, 2022
View reviewed changes
lib/auth/oidc.go Outdated Show resolved Hide resolved
@xacrimon xacrimon requested a review from gabrielcorado April 26, 2022 15:48
zmb3
zmb3 reviewed Apr 29, 2022
View reviewed changes
lib/auth/oidc.go Outdated Show resolved Hide resolved
zmb3
zmb3 requested changes Apr 29, 2022
View reviewed changes
lib/auth/oidc.go Outdated Show resolved Hide resolved
lib/auth/oidc.go Outdated Show resolved Hide resolved
@xacrimon xacrimon requested a review from zmb3 April 29, 2022 15:59
@xacrimon xacrimon merged commit 2db4e7d into master May 2, 2022
xacrimon added a commit that referenced this pull request May 2, 2022
@xacrimon
Check oidc email_verified claim (#12140)
df3470c
@xacrimon xacrimon mentioned this pull request May 2, 2022
Merged
xacrimon added a commit that referenced this pull request May 3, 2022
@xacrimon
Check oidc email_verified claim (#12140)
43b9c63
xacrimon added a commit that referenced this pull request May 3, 2022
@xacrimon
[v9] Rollup backport (#12360)
6eff5c4 
* Harden SQLite permissions (#12096)

* Check oidc email_verified claim (#12140)

* Limit Kubernetes connections (#12275)

* Handle DynamoDB pay-per-request mode correctly (#12295)
@corkrean
Copy link
Contributor

Would we ever consider creating a way to disable this via the config?

@xacrimon
Copy link
Contributor Author

We could, is this causing problems for anyone? Generally I made the assumption that disabling this is very bad security practice since the field set to false means that the IdP is telling us we can't really trust that the email is controlled by the user in question.

@corkrean
Copy link
Contributor

I have a meeting with the customer this afternoon. I'll try to understand why the email_verified claim can't be set to true. If they can't set email_verified claim to true, I'll create a Github issue to add a "switch" and link it here.

@zmb3 zmb3 deleted the joel/TEL-Q122-1 branch April 26, 2023 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@gabrielcorado gabrielcorado gabrielcorado approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xacrimon @zmb3 @corkrean @gabrielcorado