Add blocklist and allowlist for oidc domains

Author: jawabuu

oidc/constants.py

@@ -11,6 +11,11 @@
 ERR_INVALID_RESPONSE = (
     "Unable to fetch user information from provider.  Please check the log."
 )
+ERR_INVALID_DOMAIN = (
+    "The domain for your account (%s) is not allowed to authenticate with this provider."
+)
+OIDC_DOMAIN_BLOCKLIST = frozenset(getattr(settings, "OIDC_DOMAIN_BLOCKLIST", []))
+OIDC_DOMAIN_ALLOWLIST = frozenset(getattr(settings, "OIDC_DOMAIN_ALLOWLIST", []))
 ISSUER = None
 
 DATA_VERSION = "1"

oidc/views.py

@@ -5,7 +5,7 @@
 from sentry.utils.compat import map
 from sentry.utils.signing import urlsafe_b64decode
 
-from .constants import ERR_INVALID_RESPONSE, ISSUER
+from .constants import ERR_INVALID_RESPONSE, ISSUER, ERR_INVALID_DOMAIN
 
 logger = logging.getLogger("sentry.auth.oidc")
 
@@ -47,6 +47,15 @@ def dispatch(self, request, helper):
         else:
             domain = payload.get("hd")
 
+        if domain is None:
+            return helper.error(ERR_INVALID_DOMAIN % (domain,))
+
+        if domain in OIDC_DOMAIN_BLOCKLIST:
+            return helper.error(ERR_INVALID_DOMAIN % (domain,))
+
+        if OIDC_DOMAIN_ALLOWLIST != set() and domain not in OIDC_DOMAIN_ALLOWLIST:
+            return helper.error(ERR_INVALID_DOMAIN % (domain,))
+
         helper.bind_state("domain", domain)
         helper.bind_state("user", payload)