From b499412aee00f709bb71b50b65f4272fec2b9897 Mon Sep 17 00:00:00 2001
From: foresturquhart <forest.urquhart@gmail.com>
Date: Thu, 6 Feb 2025 17:46:46 +0000
Subject: [PATCH] Wrap new VerifyLogin logic in allowedHostedDomains length
 check

---
 pkg/auth/oidc.go | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/pkg/auth/oidc.go b/pkg/auth/oidc.go
index f241ff46..ed5bb543 100644
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -139,24 +139,24 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVeri
 }
 
 func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
-	// Decode token without verifying signature to retrieved 'hd' claim.
-	parts := strings.Split(loginMsg.PrivilegeKey, ".")
-	if len(parts) != 3 {
-		return fmt.Errorf("invalid OIDC token format")
-	}
-
-	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
-	if err != nil {
-		return fmt.Errorf("invalid OIDC token: failed to decode payload: %v", err)
-	}
-
-	var claims map[string]any
-	if err := json.Unmarshal(payload, &claims); err != nil {
-		return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
-	}
-
 	// Verify hosted domain (hd claim).
 	if len(auth.allowedHostedDomains) > 0 {
+		// Decode token without verifying signature to retrieved 'hd' claim.
+		parts := strings.Split(loginMsg.PrivilegeKey, ".")
+		if len(parts) != 3 {
+			return fmt.Errorf("invalid OIDC token format")
+		}
+
+		payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+		if err != nil {
+			return fmt.Errorf("invalid OIDC token: failed to decode payload: %v", err)
+		}
+
+		var claims map[string]any
+		if err := json.Unmarshal(payload, &claims); err != nil {
+			return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
+		}
+
 		hd, ok := claims["hd"].(string)
 		if !ok {
 			return fmt.Errorf("OIDC token missing required 'hd' claim")