gazagnaire.org / ocaml-oauth
OAuth 2.0 authorization and token exchange
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Parse OIDC email_verified claim from custom providers

Custom providers that return the standard OIDC email_verified field
(Section 5.1) now have it respected. Previously hardcoded to false,
email is now only populated when email_verified is true — consistent
with Google and GitLab treatment.

Thomas Gazagnaire 70cf3222 9a491b79

+11 -5
+9 -4
lib/oauth.ml
··· 524 524 u.avatar_url) 525 525 |> Jsont.Object.skip_unknown |> Jsont.Object.finish 526 526 527 - (* Custom: uid extracted from the configured uid_field *) 527 + (* Custom: uid extracted from the configured uid_field. Parses the standard 528 + OIDC email_verified claim (Section 5.1) when present. *) 528 529 let custom_userinfo_jsont ~uid_field = 529 - Jsont.Object.map ~kind:"custom_userinfo" (fun uid email name -> 530 + Jsont.Object.map ~kind:"custom_userinfo" (fun uid email email_verified name -> 531 + let verified = email_verified = Some true in 532 + let email = if verified then non_empty email else None in 530 533 { 531 534 uid; 532 535 login = ""; 533 - email = non_empty email; 534 - email_verified = false; 536 + email; 537 + email_verified = verified; 535 538 name; 536 539 avatar_url = ""; 537 540 }) 538 541 |> Jsont.Object.mem uid_field Jsont.string ~enc:(fun u -> u.uid) 539 542 |> Jsont.Object.mem "email" Jsont.string ~dec_absent:"" ~enc:(fun u -> 540 543 opt_to_string u.email) 544 + |> Jsont.Object.opt_mem "email_verified" Jsont.bool ~enc:(fun u -> 545 + Some u.email_verified) 541 546 |> Jsont.Object.mem "name" Jsont.string ~dec_absent:"" ~enc:(fun u -> u.name) 542 547 |> Jsont.Object.skip_unknown |> Jsont.Object.finish 543 548
+2 -1
lib/oauth.mli
··· 302 302 - Google: [true] when [email_verified = true] in the OIDC response. 303 303 - GitHub: [true] for emails obtained via {!parse_github_emails}. 304 304 - GitLab: [true] when [confirmed_at] is present in the user response. 305 - - Custom: always [false] (verification status unknown). 305 + - Custom: [true] when [email_verified = true] in the response 306 + (standard OIDC claim, Section 5.1). [false] otherwise. 306 307 307 308 Do not use [email] for authentication decisions unless 308 309 [email_verified] is [true]. *)