From bc8c2276e3c5255c13e9b7f2c8858eac7acd5e73 Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <maksim.nabokikh@flant.com>
Date: Tue, 23 May 2023 17:34:08 +0200
Subject: [PATCH] Fail if OIDC config contains hosted domains (#2937)

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
---
 connector/oidc/oidc.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index c022b2ca..b38915e3 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -35,6 +35,14 @@ type Config struct {
 
 	Scopes []string `json:"scopes"` // defaults to "profile" and "email"
 
+	// HostedDomains was an optional list of whitelisted domains when using the OIDC connector with Google.
+	// Only users from a whitelisted domain were allowed to log in.
+	// Support for this option was removed from the OIDC connector.
+	// Consider switching to the Google connector which supports this option.
+	//
+	// Deprecated: will be removed in future releases.
+	HostedDomains []string `json:"hostedDomains"`
+
 	// Certificates for SSL validation
 	RootCAs []string `json:"rootCAs"`
 
@@ -112,6 +120,10 @@ func knownBrokenAuthHeaderProvider(issuerURL string) bool {
 // Open returns a connector which can be used to login users through an upstream
 // OpenID Connect provider.
 func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+	if len(c.HostedDomains) > 0 {
+		return nil, fmt.Errorf("support for the Hosted domains option had been deprecated and removed, consider switching to the Google connector")
+	}
+
 	httpClient, err := httpclient.NewHTTPClient(c.RootCAs, c.InsecureSkipVerify)
 	if err != nil {
 		return nil, err
-- 
GitLab