From dfc427e34bde4948cda7db3cb75351f12d45394e Mon Sep 17 00:00:00 2001
From: Sambhav Saggi <17993169+sambhavsaggi@users.noreply.github.com>
Date: Sun, 23 Jan 2022 16:43:21 -0500
Subject: [PATCH] Add Google support, sub fallback

---
 SSO-Auth/Api/SSOController.cs | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/SSO-Auth/Api/SSOController.cs b/SSO-Auth/Api/SSOController.cs
index a579b92..1f25716 100644
--- a/SSO-Auth/Api/SSOController.cs
+++ b/SSO-Auth/Api/SSOController.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Net.Mime;
 using System.Threading.Tasks;
+using IdentityModel.Client;
 using IdentityModel.OidcClient;
 using Jellyfin.Data.Entities;
 using Jellyfin.Data.Enums;
@@ -56,8 +57,9 @@ public ActionResult OIDPost(string provider)
                     ClientId = config.OIDClientId,
                     ClientSecret = config.OIDSecret,
                     RedirectUri = GetRequestBase() + "/sso/OID/r/" + provider,
-                    Scope = "openid profile"
+                    Scope = "openid profile",
                 };
+                options.Policy.Discovery.ValidateEndpoints = false; // For Google and other providers with different endpoints
                 var oidcClient = new OidcClient(options);
                 var state = StateManager[Request.Query["state"]].State;
                 var result = oidcClient.ProcessResponseAsync(Request.QueryString.Value, state).Result;
@@ -114,13 +116,29 @@ public ActionResult OIDPost(string provider)
                         }
                     }
                 }
+
+                // If the provider doesn't support preferred_username, then use sub
+                if (!StateManager[Request.Query["state"]].Valid)
+                {
+                    foreach (var claim in result.User.Claims)
+                    {
+                        if (claim.Type == "sub")
+                        {
+                            StateManager[Request.Query["state"]].Username = claim.Value;
+                            if (config.Roles.Length == 0)
+                            {
+                                StateManager[Request.Query["state"]].Valid = true;
+                            }
+                        }
+                    }
+                }
                 if (StateManager[Request.Query["state"]].Valid)
                 {
                     return Content(WebResponse.OIDGenerator(data: Request.Query["state"], provider: provider, baseUrl: GetRequestBase()), MediaTypeNames.Text.Html);
                 }
                 else
                 {
-                    return Content("Error. Check permissions");
+                    return Content("Error. Check permissions."); // TODO: Return error code as well
                 }
             }
         }
@@ -144,6 +162,7 @@ public async Task<ActionResult> OIDChallenge(string provider)
                     RedirectUri = GetRequestBase() + "/sso/OID/r/" + provider,
                     Scope = "openid profile"
                 };
+                options.Policy.Discovery.ValidateEndpoints = false; // For Google and other providers with different endpoints
                 var oidcClient = new OidcClient(options);
                 var state = await oidcClient.PrepareLoginAsync().ConfigureAwait(false);
                 StateManager.Add(state.State, new TimedAuthorizeState(state, DateTime.Now));
@@ -426,4 +445,6 @@ public TimedAuthorizeState(AuthorizeState state, DateTime created)
     public string Username { get; set; }
 
     public bool Admin { get; set; }
+
+    public string Email { get; set; }
 }