From 7acec6243bb35a06cff99f01b6d7258bdf528083 Mon Sep 17 00:00:00 2001
From: Aigars Mahinovs <aigarius@gmail.com>
Date: Wed, 13 Feb 2019 16:26:53 +0100
Subject: [PATCH 1/2] Fall back to using OIDC Subject instead of Email

Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however.

Issue: #56
---
 providers/oidc.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/providers/oidc.go b/providers/oidc.go
index 66c0816..fe26ef1 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -106,6 +106,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
 
 	// Extract custom claims.
 	var claims struct {
+		Subject  string `json:"sub"`
 		Email    string `json:"email"`
 		Verified *bool  `json:"email_verified"`
 	}
@@ -114,7 +115,8 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
 	}
 
 	if claims.Email == "" {
-		return nil, fmt.Errorf("id_token did not contain an email")
+		// TODO: Try getting email from /userinfo before falling back to Subject
+		claims.Email = claims.Subject
 	}
 	if claims.Verified != nil && !*claims.Verified {
 		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)

From 4e6593bc6051b1b27824c75a9702e62f4ed6036a Mon Sep 17 00:00:00 2001
From: Aigars Mahinovs <Aigars.Mahinovs@bmw.de>
Date: Fri, 8 Mar 2019 13:41:15 +0100
Subject: [PATCH 2/2] Update changelog for pull request #57

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f83b76..d42d688 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Changes since v3.1.0
 
+- [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius)
 - [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)
 - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
 - [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery