Skip to content

feat(auth): add OIDC allowlist restrictions#8984

Merged
klesh merged 1 commit into
apache:mainfrom
MauricioApu:feat/oidc-allowlist
Jul 10, 2026
Merged

feat(auth): add OIDC allowlist restrictions#8984
klesh merged 1 commit into
apache:mainfrom
MauricioApu:feat/oidc-allowlist

Conversation

@MauricioApu

@MauricioApu MauricioApu commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ Pre Checklist

  • I have read through the Contributing Documentation.
  • I have added relevant tests.
  • I have added relevant documentation.
  • I will add labels to the PR, such as pr-type/bug-fix, pr-type/feature-development, etc.

Summary

This PR introduces optional authorization filters to restrict OIDC logins by specific email addresses (OIDC_ALLOW_EMAILS) or domain suffixes (OIDC_ALLOW_DOMAINS).

  • Default Unrestricted Behavior: If both configuration variables are empty or omitted, login access remains entirely unrestricted.
  • Case-Insensitive & Formatted Matching: Email strings are properly trimmed of whitespace and converted to lower case to prevent user input discrepancies from blocking authentication.
  • Granular Control: Administrators can now restrict access to specific developers or entire organizational domains seamlessly.

Does this close any open issues?

None. This is a straightforward enhancement implemented directly to address an internal deployment requirement.

Screenshots

Screenshot 2026-07-09 at 4 06 51 PM

Other Information

  • Tests were added under backend/helpers/oidchelper/authorization_test.go confirming case-insensitivity, malformed string protection, domain parsing, and default pass-through state behaviors.
  • Updated .env.example to document the new optional configuration keys.

@MauricioApu MauricioApu force-pushed the feat/oidc-allowlist branch from a55504b to 51808cf Compare July 9, 2026 19:15
@klesh klesh merged commit 50f664e into apache:main Jul 10, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants