search

pwielgolaski / teamcity-oauth

teamcity oauth2 authentication plugin
Apache License 2.0
42 stars 25 forks source link

Access to teamcity outside the organization #42

Open sapielsam opened 7 months ago

sapielsam commented 7 months ago

Based on the problem described in the article

Steps to reproduce the problem:

  1. Create a google account firstname.lastname+hacker@domain.org (this account does not belong to the organization and is not managed by it in any way.)
  2. Try to log in to teamcity with this account.

The actual result: A new account with username: firstname.lastname+hacker@domain.org is created and given default permissions.

Is it possible to add a check for jwt claim hd or via getHostedDomain to check if the user belongs to an organization?

sapielsam commented 7 months ago

I think the problem here