auth-oauth2: Disable Strict Email Matching on Authorization

This commit disables strict email match when doing email authorization (getting token). While strict by default was noble, checking for a match is troublesome when a global admin can authorize for an email account or/and its aliases. A strict placeholder flag is set to false default for now with the intention of making it configurable in the future.
protich · Nov 3, 2022 · 631e833 · 631e833
1 parent 38ed198
commit 631e833
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/auth-oauth2/oauth2.php b/auth-oauth2/oauth2.php
@@ -64,6 +64,10 @@ trait OAuth2AuthenticationTrait {
     private $provider;
     // debug mode flag
     private $debug = false;
+    // Strict flag
+    // TODO: Make it configurable (checkbox)
+    private $strict = false;
+
     // SESSION store for data like AuthNRequestID
     private $session;
     // Configuration store
@@ -105,6 +109,10 @@ function callback($resp, $ref=null) {
         }
     }
 
+    private function isStrict() {
+        return (bool) $this->strict;
+    }
+
     function getId() {
         return static::$id;
     }
@@ -302,9 +310,10 @@ public function callback($resp, $ref=null) {
                     'resource_owner_id' => $token->getResourceOwnerId(),
                     'resource_owner_email' => $attrs['email'],
                 ];
+
                 if (!isset($attrs['email']))
                     $errors[$err] = $this->error_msg(self::ERR_EMAIL_ATTR, $attrs);
-                elseif (!$this->signIn($attrs))
+                elseif ($this->isStrict() && !$this->signIn($attrs))
                     $errors[$err] = $this->error_msg(self::ERR_EMAIL_MISMATCH, $attrs);
                 elseif (!$info['refresh_token'])
                     $errors[$err] = $this->error_msg(self::ERR_REFRESH_TOKEN);