Handle UPN fallback when profileURL isn't set

2025-11-27 22:38:39 +02:00 · 2021-07-03 13:40:34 -07:00
parent 1621ea3bba
commit bdfca925a3
2 changed files with 13 additions and 5 deletions
--- a/providers/adfs.go
+++ b/providers/adfs.go
@@ -84,11 +84,8 @@ func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string) string {
 // from the claims. If Email is missing, falls back to ADFS `upn` claim.
 func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
 	err := p.oidcEnrichFunc(ctx, s)
-	if err != nil {
-		return err
-	}
-
-	if s.Email == "" {
+	if err != nil || s.Email == "" {
+		// OIDC only errors if email is missing
 		return p.fallbackUPN(ctx, s)
 	}
 	return nil