🚸(oidc) ignore case when fallback on email

Some identity providers might change the case, but in our products we don't consider case variation to be consider as different email addresses. Next step would be to normalize the DB value of email to be lower-case.
2026-04-25 17:15:14 +02:00 · 2026-02-10 22:31:46 +01:00
parent cc690ae9d2
commit ecf3a6c2cf
3 changed files with 25 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,13 +8,17 @@ and this project adheres to

 ## [Unreleased]

+### Changed
+
+- 🚸(oidc) ignore case when fallback on email #61
+
 ### Fixed

 - 🐛(oidc) use correct session key for token expiration check #56

 ## [0.0.23] - 2026-01-14

-### Changed
+

 - ⬆️(oidc) allow use mozilla-django-oidc >5.0.0 with PyJWT
 - ♻️(malware) reuse existing file_hash when rescheduling a task
--- a/src/lasuite/oidc_login/backends.py
+++ b/src/lasuite/oidc_login/backends.py
@@ -302,7 +302,7 @@ class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
        except self.UserModel.DoesNotExist:
            if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                try:
-                    return self.UserModel.objects.get(email=email)
+                    return self.UserModel.objects.get(email__iexact=email)
                except self.UserModel.DoesNotExist:
                    pass
        return None
--- a/tests/oidc_login/test_backends.py
+++ b/tests/oidc_login/test_backends.py
@@ -162,6 +162,25 @@ def test_authentication_getter_existing_user_via_email(django_assert_num_queries
    assert user == db_user


+def test_authentication_getter_existing_user_via_email_case(django_assert_num_queries, monkeypatch):
+    """
+    If an existing user doesn't match the sub but matches the email with different case,
+    the user should be returned.
+    """
+    klass = OIDCAuthenticationBackend()
+    db_user = factories.UserFactory(email="Some.User@example.com")
+
+    def get_userinfo_mocked(*args):
+        return {"sub": "123", "email": "sOmE.useR@example.com"}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    with django_assert_num_queries(3):  # user by email + user by sub + update sub
+        user = klass.get_or_create_user(access_token="test-token", id_token=None, payload=None)
+
+    assert user == db_user
+
+
 def test_authentication_getter_existing_user_no_fallback_to_email(settings, monkeypatch):
    """
    When the "OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION" setting is set to False,