Handle empty email for from Azure entra id
What does this MR do and why?
When Microsoft Entra ID (Formally azure AD) is integrated with GitLab with OIDC flow. email
attribute may not contain the value even if email
scope is given. Also the username field can have email like field GitLab@gitlabsandbox.onmicrosoft.com
.
So when GitLab attempts to create a temporary email for this user, it will be temp-email-for-oauth-gitlab@gitlabsandbox.onmicrosoft.com@gitlab.localhost
. Since this email contain two @
, system will mark this user as invalid and prevents the sign in.
Proposed solution is to remove the domain
field from the user name if it is of the form something@domain
. Old behaviour is kept intact for LDAP login as there is an existing spec which expects username in something@domain
format
{
"email"=>nil,
"email_verified"=>nil,
"nickname"=>"GitLab@gitlabsandbox.onmicrosoft.com",
"first_name"=>nil,
"last_name"=>nil,
"gender"=>nil,
"image"=>"https://graph.microsoft.com/v1.0/me/photo/$value",
"phone"=>nil,
"urls"=>{"website"=>nil}
},
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Setup Azure entra id
- Configure OIDC with the following configuration
allow_single_sign_on: [ "openid_connect_azure"]
block_auto_created_users: false
- {
name: "openid_connect_azure",
label: "Azure OIDC",
args: {
name: "openid_connect_azure",
strategy_class: 'OmniAuth::Strategies::OpenIDConnect',
issuer: "https://login.microsoftonline.com/<tenent id>/v2.0",
scope: ["openid", "profile", "email"],
response_type: "code",
client_auth_method: "query",
discovery: true,
client_options: {
host: "login.microsoftonline.com",
identifier: "<app_id>",
secret: "<secret>",
redirect_uri: "https://gdk.test:3000/users/auth/openid_connect_azure/callback"
}
}
}
- Make sure that login is working on Gitlab end with azure as the provider
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #383311 (closed)