fix: properly normalize OIDC verified emails

ory · Aug 23, 2023 · 814d232 · 814d232
1 parent 318ea2c
commit 814d232
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go
@@ -409,7 +409,8 @@ func (s *Strategy) extractVerifiedAddresses(evaluated string) ([]VerifiedAddress
 			return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Failed to unmarshal value for key %s. Please check your Jsonnet code!", VerifiedAddressesKey).WithDebugf("%s", err))
 		}
 
-		for _, va := range va {
+		for i := range va {
+			va := &va[i]
 			if va.Via == identity.VerifiableAddressTypeEmail {
 				va.Value = strings.ToLower(strings.TrimSpace(va.Value))
 			}

diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -825,6 +825,17 @@ func TestStrategy(t *testing.T) {
 			assertVerifiedEmail(t, body, true)
 		})
 
+		t.Run("case=should have verified address when subject matches after normalization", func(t *testing.T) {
+			subject = " [email protected] "
+			r := newBrowserRegistrationFlow(t, returnTS.URL, time.Minute)
+			action := assertFormValues(t, r.ID, "valid")
+			res, body := makeRequest(t, "valid", action, url.Values{"traits.subject": {"[email protected]"}})
+			subject = "[email protected]"
+			assertIdentity(t, res, body)
+			subject = "[email protected]"
+			assertVerifiedEmail(t, body, true)
+		})
+
 		t.Run("case=should have unverified address when subject does not match", func(t *testing.T) {
 			subject = "[email protected]"
 			r := newBrowserRegistrationFlow(t, returnTS.URL, time.Minute)