User authentication and session management for web applications
Parse OIDC email_verified claim from custom providers
Custom providers that return the standard OIDC email_verified field
(Section 5.1) now have it respected. Previously hardcoded to false,
email is now only populated when email_verified is true — consistent
with Google and GitLab treatment.
+14
-2
+14
-2
test/test_auth.ml
+14
-2
test/test_auth.ml
···
337
337
| Ok p -> Oauth.Custom p
338
338
| Error (`Msg msg) -> failwith msg
339
339
in
340
+
(* Without email_verified — email is dropped *)
340
341
let body = {|{"employee_id":"EMP-42","email":"a@corp.com","name":"A"}|} in
341
-
match Oauth.parse_userinfo provider body with
342
+
(match Oauth.parse_userinfo provider body with
342
343
| Error e -> Alcotest.fail e
343
344
| Ok u ->
344
345
Alcotest.(check string) "uid" "EMP-42" u.uid;
345
-
Alcotest.(check (option string)) "email" (Some "a@corp.com") u.email
346
+
Alcotest.(check (option string)) "unverified email dropped" None u.email;
347
+
Alcotest.(check bool) "email_verified false" false u.email_verified);
348
+
(* With email_verified: true — email is included *)
349
+
let body_verified =
350
+
{|{"employee_id":"EMP-42","email":"a@corp.com","email_verified":true,"name":"A"}|}
351
+
in
352
+
match Oauth.parse_userinfo provider body_verified with
353
+
| Error e -> Alcotest.fail e
354
+
| Ok u ->
355
+
Alcotest.(check (option string))
356
+
"verified email" (Some "a@corp.com") u.email;
357
+
Alcotest.(check bool) "email_verified true" true u.email_verified
346
358
347
359
let test_userinfo_rejects_garbage () =
348
360
match Oauth.parse_userinfo Github "not json at all" with