Handle UPN fallback when profileURL isn't set

providers/adfs.go

@@ -84,11 +84,8 @@ func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string) string {
 // from the claims. If Email is missing, falls back to ADFS `upn` claim.
 func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
 	err := p.oidcEnrichFunc(ctx, s)
-	if err != nil {
+	if err != nil || s.Email == "" {
-		return err
+		// OIDC only errors if email is missing
-	}
-
-	if s.Email == "" {
 		return p.fallbackUPN(ctx, s)
 	}
 	return nil

providers/adfs_test.go

@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -253,6 +254,16 @@ var _ = Describe("ADFS Provider Tests", func() {
 				Expect(err).ToNot(HaveOccurred())
 				Expect(session.Email).To(Equal("upn@company.com"))
 			})
+
+			It("falls back to UPN claim on errors", func() {
+				p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {
+					return errors.New("neither the id_token nor the profileURL set an email")
+				}
+
+				err := p.EnrichSession(context.Background(), session)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(session.Email).To(Equal("upn@company.com"))
+			})
 		})
 
 		Describe("RefreshSession", func() {