ory
Intercept OIDC linking / data mapping is not updated
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Network project.
- [X] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
For existing users, I want to reject OIDC account linking if the email domain does not match the email in the users traits. So for example, if I have a user like this:
identity:
traits:
name:
first: "John"
last: "Doe"
email: "[email protected]"
I want to reject account linking if the user links with a Microsoft account with email [email protected] (the domain is different). I want to accept if it's [email protected] or [email protected] (domain OK).
Unfortunately, to my knowledge this is not possible at the moment. So one workaround I do now is to update the data mapping to include the email in the claims and put that in the public metadata, and then I can check the emails in retrospect. Something like this: if metadata_public.linked_email != traits.email: handle_bad_link().
So I go to https://console.ory.sh/projects/<project>/social-signin/microsoft and set up this data mapping:
local claims = std.extVar('claims');
{
identity: {
metadata_public: {
linked_email: claims.email,
foo: "bar"
},
traits: {
email: claims.email,
name: {
"first": claims.family_name,
[if "family_name" in claims then "last" else null]: claims.family_name,
}
},
},
}
What I expect
I expect when I link an account, the first name and last name will be the same. I also expect metadata_public to contain "foo" field and "linked_email" field.
What I get
I get that the first name and last name are different, and the metadata_public is not set.
Reproducing the bug
- set up microsoft linking with a "Common" tenant and the scopes outlined below.
- Have an existing account, and link that one
- Should have first name and last name same, and some data in public metadata. But it's not there
Relevant log output
No response
Relevant configuration
selfservice:
methods:
oidc:
config:
base_redirect_uri: [redacted]
providers:
- client_id: [redacted]
client_secret: [redacted]
id: microsoft
label: Microsoft
mapper_url: https://storage.googleapis.com/bac-gcs-production/a2fd16ac5b4671e74fd15ccda28b16e3e094a1f3aa5ba39cbf8880bfae3afef18ff3938df83813b03ffca19728526c11508e7ebf4ba03ff764648448db581c20.jsonnet
microsoft_tenant: common
provider: microsoft
scope:
- https://graph.microsoft.com/User.Read
- profile
- email
- openid
subject_source: me
enabled: true
Version
ory network
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
None
Additional Context
No response
