GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 11:25:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Widen validated emails for Azure (#12637)

Browse Source
This commit is contained in:
Tom Moor
2026-06-08 20:20:52 -04:00
committed by GitHub
parent a2f9962958
commit a3fcd71582
1 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/azure/server/auth/azure.ts
+24 -10
View File
@@ -102,17 +102,31 @@ if (env.AZURE_CLIENT_ID && env.AZURE_CLIENT_SECRET) {
const user = const user =
context.state?.auth?.user ?? (await getUserFromOAuthState(context)); context.state?.auth?.user ?? (await getUserFromOAuthState(context));
// Microsoft's email claim is mutable, only trust it when a verification // The mail and userPrincipalName values come from the directory via the
// claim confirms it — xms_edov for workforce tenants, or the standard // Graph API and are owned by the organization, so an email sourced from
// email_verified claim in External ID / OIDC scenarios. // them is inherently trusted. Microsoft's mutable `email` token claim is
// only trusted when a verification claim confirms it — xms_edov for
// workforce tenants, or the standard email_verified claim in External ID
// / OIDC scenarios.
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization // https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization
const verificationClaims = [profile.xms_edov, profile.email_verified]; const directoryEmails = [
const presentClaims = verificationClaims.filter( profileResponse.mail,
(claim) => claim !== undefined profileResponse.userPrincipalName,
); ]
const emailVerified = presentClaims.length .filter(Boolean)
? presentClaims.some((claim) => claim === true || claim === "true") .map((value) => value.toLowerCase());
: undefined;
const verificationClaims = [
profile.xms_edov,
profile.email_verified,
].filter((claim) => claim !== undefined);
const emailVerified =
directoryEmails.includes(email.toLowerCase()) ||
(verificationClaims.length
? verificationClaims.some(
(claim) => claim === true || claim === "true"
)
: undefined);
const domain = parseEmail(email).domain; const domain = parseEmail(email).domain;
const subdomain = slugifyDomain(domain); const subdomain = slugifyDomain(domain);