Fail if OIDC config contains hosted domains (#2937)

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

Fail if OIDC config contains hosted domains (#2937)
bc8c2276 · Maksim Nabokikh · GitHub · 34a8aa23 · bc8c2276
Unverified Commit bc8c2276 authored 2 years ago by Maksim Nabokikh Committed by GitHub 2 years ago
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -35,6 +35,14 @@ type Config struct {
 	Scopes []string `json:"scopes"` // defaults to "profile" and "email"
+	// HostedDomains was an optional list of whitelisted domains when using the OIDC connector with Google.
+	// Only users from a whitelisted domain were allowed to log in.
+	// Support for this option was removed from the OIDC connector.
+	// Consider switching to the Google connector which supports this option.
+	//
+	// Deprecated: will be removed in future releases.
+	HostedDomains []string `json:"hostedDomains"`
 	// Certificates for SSL validation
 	RootCAs []string `json:"rootCAs"`
@@ -112,6 +120,10 @@ func knownBrokenAuthHeaderProvider(issuerURL string) bool {
 // Open returns a connector which can be used to login users through an upstream
 // OpenID Connect provider.
 func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+	if len(c.HostedDomains) > 0 {
+		return nil, fmt.Errorf("support for the Hosted domains option had been deprecated and removed, consider switching to the Google connector")
+	}
 	httpClient, err := httpclient.NewHTTPClient(c.RootCAs, c.InsecureSkipVerify)
 	if err != nil {
 		return nil, err