diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index f33b01f0..b0467330 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -314,10 +314,6 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I if (!found || c.overrideClaimMapping) && c.emailKey != "" { emailKey = c.emailKey email, found = claims[emailKey].(string) - if !found && c.overrideClaimMapping { - // If override is enabled but claim was not found, empty string is preferred over fallback. - email, found = "", true - } } if !found && hasEmailScope { diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go index d92fdea5..3038cebc 100644 --- a/connector/oidc/oidc_test.go +++ b/connector/oidc/oidc_test.go @@ -110,23 +110,6 @@ func TestHandleCallback(t *testing.T) { "email_verified": true, }, }, - { - name: "overrideWithMissingCustomEmailClaim", - userIDKey: "", // not configured - userNameKey: "", // not configured - overrideClaimMapping: true, - emailKey: "custommail", - expectUserID: "subvalue", - expectUserName: "namevalue", - expectedEmailField: "", - token: map[string]interface{}{ - // no "custommail" claim - "sub": "subvalue", - "name": "namevalue", - "email": "emailvalue", - "email_verified": true, - }, - }, { name: "email_verified not in claims, configured to be skipped", insecureSkipEmailVerified: true,