From 687d0b1c6219d7488c59ac1b63b29264dbeb8bcf Mon Sep 17 00:00:00 2001
From: Orne Brocaar <info@brocaar.com>
Date: Thu, 23 Nov 2023 15:05:27 +0000
Subject: [PATCH] Add assume_email_verified option for OIDC.

Fixes #302.
---
 chirpstack/src/api/internal.rs   | 6 +++++-
 chirpstack/src/cmd/configfile.rs | 8 ++++++++
 chirpstack/src/config.rs         | 1 +
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/chirpstack/src/api/internal.rs b/chirpstack/src/api/internal.rs
index 5707329e..70afc5eb 100644
--- a/chirpstack/src/api/internal.rs
+++ b/chirpstack/src/api/internal.rs
@@ -429,7 +429,11 @@ impl InternalService for Internal {
                 return Err(Status::invalid_argument("email is missing"));
             }
         };
-        let email_verified = oidc_user.email_verified().unwrap_or_default();
+        let email_verified = oidc_user.email_verified().unwrap_or_default()
+            || conf
+                .user_authentication
+                .openid_connect
+                .assume_email_verified;
 
         if !email_verified {
             return Err(Status::failed_precondition(
diff --git a/chirpstack/src/cmd/configfile.rs b/chirpstack/src/cmd/configfile.rs
index 69b84f96..fc6b9140 100644
--- a/chirpstack/src/cmd/configfile.rs
+++ b/chirpstack/src/cmd/configfile.rs
@@ -600,6 +600,14 @@ pub fn run() {
     # The login label is used in the web-interface login form.
     login_label="{{ user_authentication.openid_connect.login_label }}"
 
+    # Assume e-mail verified.
+    #
+    # If set to true, then ChirpStack will ignore the email_verified received
+    # from the OpenID Connect provider, assuming it will be true. Some
+    # providers do not provide this field, in which case setting this value
+    # is needed.
+    assume_email_verified={{ user_authentication.openid_connect.assume_email_verified }}
+
 
 # Join Server configuration.
 [join_server]
diff --git a/chirpstack/src/config.rs b/chirpstack/src/config.rs
index 481de18d..c3f3918c 100644
--- a/chirpstack/src/config.rs
+++ b/chirpstack/src/config.rs
@@ -407,6 +407,7 @@ pub struct OpenIdConnect {
     pub redirect_url: String,
     pub logout_url: String,
     pub login_label: String,
+    pub assume_email_verified: bool,
 }
 
 #[derive(Serialize, Deserialize, Default, Clone)]