Create option to skip verified email check in OIDC provider

[djfinlay]

Motivation and Context

Some OIDC identity providers don't verify email addresses but still set the "email_verified" claim to false, which results in a 500 error from oauth2_proxy. This option allows the "email_verified" check to be skipped.

Fixes #117

How Has This Been Tested?

Tested manually using the docker container with Auth0 as an OIDC provider:

• use default settings
• try to log in using an account with an unverified email address and get a 500 response
• set --oidc-allow-unverified-email
• try to log in with the same account and get proxied to the upstream

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[JoelSpeed]

One quick fix then this LGTM, thank!

[anthonymejia]

Is this good to merge?

[poblin-orange]

Will this feature be merged ? (blocking issue to use OIDC provider like UAA)

[JoelSpeed]

Just one final thought having looked at this, how do you feel about renaming the flag to be prefixed with insecure to let people know this is an insecure option, I'm thinking like insecure-skip-tls-verify for isntance?

Also, please add a note to the Changelog before we merge

[JoelSpeed]

Looks good, thanks!

[iamfarsk]

My oidc provider return email_verified claim as string instead of boolean. This is causing an unmarshalling issue during callback handling. Is there a way to get rid off it. I tried using "allow-unverified-emails" but that didn't work.

[hamza3202]

@iamfarsk were you able to make this work?

[iamfarsk]

I switched the oidc provider. Probably you can try the latest version if not tried yet.

…

On Fri, Feb 19, 2021 at 5:44 PM Muhammad Hamza Zaib < ***@***.***> wrote: @iamfarsk <https://github.com/iamfarsk> were you able to make this work? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#159 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGI2S3SGD36HPMKKK6VD2STS7ZI2VANCNFSM4HODP43Q> .

-- Farhan Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

[hamza3202]

I had skipped the --provider flag and thats why it wasn't working. Perhaps code can be improved so that it only reads fields relevant to a provider.