From fc723af0fe9d2969299edf2ffa457527790cb349 Mon Sep 17 00:00:00 2001
From: Gerald Barker <gerald.barker@gmail.com>
Date: Tue, 5 Mar 2019 21:24:02 +0000
Subject: [PATCH] Add option to OIDC connecter to override email_verified to
 true

---
 Documentation/connectors/oidc.md |  5 +++++
 connector/oidc/oidc.go           | 30 ++++++++++++++++++++----------
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/Documentation/connectors/oidc.md b/Documentation/connectors/oidc.md
index 1217bc8f..559c0f8c 100644
--- a/Documentation/connectors/oidc.md
+++ b/Documentation/connectors/oidc.md
@@ -55,6 +55,11 @@ connectors:
     #  - profile
     #  - email
     #  - groups
+
+    # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process
+    # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
+    # This can be overridden with the below option
+    # insecureSkipEmailVerified: true 
 ```
 
 [oidc-doc]: openid-connect.md
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index ac24acc9..65f877ee 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -36,6 +36,9 @@ type Config struct {
 	// Optional list of whitelisted domains when using Google
 	// If this field is nonempty, only users from a listed domain will be allowed to log in
 	HostedDomains []string `json:"hostedDomains"`
+
+	// Override the value of email_verifed to true in the returned claims
+	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		verifier: provider.Verifier(
 			&oidc.Config{ClientID: clientID},
 		),
-		logger:        logger,
-		cancel:        cancel,
-		hostedDomains: c.HostedDomains,
+		logger:                    logger,
+		cancel:                    cancel,
+		hostedDomains:             c.HostedDomains,
+		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
 	}, nil
 }
 
@@ -125,13 +129,14 @@ var (
 )
 
 type oidcConnector struct {
-	redirectURI   string
-	oauth2Config  *oauth2.Config
-	verifier      *oidc.IDTokenVerifier
-	ctx           context.Context
-	cancel        context.CancelFunc
-	logger        log.Logger
-	hostedDomains []string
+	redirectURI               string
+	oauth2Config              *oauth2.Config
+	verifier                  *oidc.IDTokenVerifier
+	ctx                       context.Context
+	cancel                    context.CancelFunc
+	logger                    log.Logger
+	hostedDomains             []string
+	insecureSkipEmailVerified bool
 }
 
 func (c *oidcConnector) Close() error {
@@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 		}
 	}
 
+	if c.insecureSkipEmailVerified {
+		claims.EmailVerified = true
+
+	}
+
 	identity = connector.Identity{
 		UserID:        idToken.Subject,
 		Username:      claims.Username,