Introduce an environment variable to allow JIT OIDC users creation based on their email address domain.

2026-05-23 17:19:37 +02:00 · 2025-07-21 15:51:13 -03:00
parent e19c3016db
commit a44bea4d1f
2 changed files with 8 additions and 0 deletions
--- a/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs
@@ -37,6 +37,13 @@ const OIDCAuthenticationManager = {
 // (Is it safe? Concider: If an account from the specified provider is already linked to this user, throw an error)
      user = await User.findOne({ 'email': email }).exec()
      if (!user) {
+        let allowedDomains = Settings.oidc.allowedOIDCEmailDomains;
+          allowedDomains = allowedDomains.split(',').map(d => d.trim()); // Make sure it's an array
+          const domain = email.split('@')[1];
+
+          if (!allowedDomains.includes(domain)) {
+            return null;
+          }
        if (Settings.oidc.disableJITAccountCreation) {
          return null
        }
--- a/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
@@ -16,6 +16,7 @@ const OIDCModuleManager = {
      attUserId:    process.env.OVERLEAF_OIDC_USER_ID_FIELD || 'id',
      attAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD,
      valAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD_VALUE,
+      allowedOIDCEmailDomains:     process.env.OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS,
      updateUserDetailsOnLogin: boolFromEnv(process.env.OVERLEAF_OIDC_UPDATE_USER_DETAILS_ON_LOGIN),
      disableJITAccountCreation: boolFromEnv(process.env.OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION),
    }