From 55605751f500a6d9ef2e2873f5aad5aeab8458ad Mon Sep 17 00:00:00 2001
From: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
Date: Tue, 24 Aug 2021 07:13:34 +0200
Subject: [PATCH] Add overrideWithMissingCustomEmailClaim test

Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
---
 connector/oidc/oidc.go      |  4 ++++
 connector/oidc/oidc_test.go | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index b0467330..f33b01f0 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -314,6 +314,10 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	if (!found || c.overrideClaimMapping) && c.emailKey != "" {
 		emailKey = c.emailKey
 		email, found = claims[emailKey].(string)
+		if !found && c.overrideClaimMapping {
+			// If override is enabled but claim was not found, empty string is preferred over fallback.
+			email, found = "", true
+		}
 	}
 
 	if !found && hasEmailScope {
diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go
index 3038cebc..d92fdea5 100644
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@@ -110,6 +110,23 @@ func TestHandleCallback(t *testing.T) {
 				"email_verified": true,
 			},
 		},
+		{
+			name:                 "overrideWithMissingCustomEmailClaim",
+			userIDKey:            "", // not configured
+			userNameKey:          "", // not configured
+			overrideClaimMapping: true,
+			emailKey:             "custommail",
+			expectUserID:         "subvalue",
+			expectUserName:       "namevalue",
+			expectedEmailField:   "",
+			token: map[string]interface{}{
+				// no "custommail" claim
+				"sub":            "subvalue",
+				"name":           "namevalue",
+				"email":          "emailvalue",
+				"email_verified": true,
+			},
+		},
 		{
 			name:                      "email_verified not in claims, configured to be skipped",
 			insecureSkipEmailVerified: true,