diff options
| author | Dave Arter <davea@mysociety.org> | 2020-06-01 13:49:52 +0100 |
|---|---|---|
| committer | Dave Arter <davea@mysociety.org> | 2020-07-02 14:38:50 +0100 |
| commit | aad79063d6e01f7596da564b274b3bf78413fdfa (patch) | |
| tree | 16df4063387a3a3e33eeb75cdcf4a323908ddbc5 | |
| parent | c5b0d088eb76dcf7290dae5d4d2d208f7031d13d (diff) | |
Add allowed_domains OIDC config to limit logins to specific domains
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth/Social.pm | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Auth/Social.pm b/perllib/FixMyStreet/App/Controller/Auth/Social.pm index c9e0381a4..ce94fe256 100644 --- a/perllib/FixMyStreet/App/Controller/Auth/Social.pm +++ b/perllib/FixMyStreet/App/Controller/Auth/Social.pm @@ -306,6 +306,14 @@ sub oidc_callback: Path('/auth/OIDC') : Args(0) { # check that the nonce matches what we set in the user session $c->detach('/page_error_500_internal_error', ['invalid id_token']) unless $id_token->payload->{nonce} eq $c->session->{oauth}{nonce}; + if (my $domains = $c->cobrand->feature('oidc_login')->{allowed_domains}) { + # Check that the hd payload is present in the token and matches the + # list of allowed domains from the config + my $hd = $id_token->payload->{hd}; + my %allowed_domains = map { $_ => 1} @$domains; + $c->detach('oauth_failure') unless $allowed_domains{$hd}; + } + # Some claims need parsing into a friendlier format my $name = $id_token->payload->{name} || join(" ", $id_token->payload->{given_name}, $id_token->payload->{family_name}); my $email = $id_token->payload->{email}; |