From 3a843f815d8bec6792eaee35bc812d06788c533f Mon Sep 17 00:00:00 2001
From: Devin Nemec <devin.nemec@gmail.com>
Date: Sat, 15 Feb 2020 07:36:28 -0600
Subject: [PATCH] GitHub Provider - Fallback to secondary verified email (#372)

* Fallback to secondary verified email

* Add change to changelog
---
 CHANGELOG.md        |  1 +
 providers/github.go | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 510d3fca..74290803 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 
 ## Changes since v5.0.0
 
+- [#372](https://github.com/pusher/oauth2_proxy/pull/372) Allow fallback to secondary verified email address in GitHub provider (@dmnemec)
 - [#335](https://github.com/pusher/oauth2_proxy/pull/335) OIDC Provider support for empty id_tokens in the access token refresh response (@howzat)
 - [#363](https://github.com/pusher/oauth2_proxy/pull/363) Extension of Redis Session Store to Support Redis Cluster (@yan-dblinf)
 - [#353](https://github.com/pusher/oauth2_proxy/pull/353) Fix login page fragment handling after soft reload on Firefox (@ffdybuster)
diff --git a/providers/github.go b/providers/github.go
index f9821cb2..a37d703d 100644
--- a/providers/github.go
+++ b/providers/github.go
@@ -305,13 +305,17 @@ func (p *GitHubProvider) GetEmailAddress(s *sessions.SessionState) (string, erro
 		return "", fmt.Errorf("%s unmarshaling %s", err, body)
 	}
 
+	returnEmail := ""
 	for _, email := range emails {
-		if email.Primary && email.Verified {
-			return email.Email, nil
+		if email.Verified {
+			returnEmail = email.Email
+			if email.Primary {
+				return returnEmail, nil
+			}
 		}
 	}
 
-	return "", nil
+	return returnEmail, nil
 }
 
 // GetUserName returns the Account user name