Relax the use of Email Domains/Addresses to enforce authentication

docs/sso_config.md

@@ -30,7 +30,9 @@ For example, the following config would have the following environment variables
   * **to** is the cname of the proxied service (this tells sso proxy where to proxy requests that come in on the from field)
   * **type** declares the type of route to use, right now there is just *simple* and *rewrite*.
   * **options** are a set of options that can be added to your configuration.
-    * **allowed groups** optional list of authorized google groups that can access the service. If not specified, anyone within an email domain is allowed to access the service. *Note*: We do not support nested group authentication at this time. Groups must be made up of email addresses associated with individual's accounts. See [#133](https://github.com/buzzfeed/sso/issues/133).
+    * **allowed groups** optional list of authorized google groups that can access the service.
+    * **allowed_email_domains** options list of authorized email domains that can access the service.
+    * **allowed_email_addresses** optional list of authorized email addresses that can access the service.
     * **skip_auth_regex** skips authentication for paths matching these regular expressions. NOTE: Use with extreme caution.
     * **header_overrides** overrides any heads set either by SSO proxy itself or upstream applications. Useful for modifying browser security headers.
     * **timeout** sets the amount of time that SSO Proxy will wait for the upstream to complete its request.
@@ -189,4 +191,4 @@ share the same paths.
 ![sso_request_flow](https://user-images.githubusercontent.com/10510566/44476373-8ae34e80-a605-11e8-93da-d876f7e48d84.png)
 
 
-<!-- diagram source: http://sequencediagram.org/index.html#initialData=C4S2BsFMAIGVYPLQEqQI4FdIGdjQGLgD2A7gFBkB2RwMRAbpAE7QbbMA00AxAA4iUA1gC5oAFWYBbAUWIBzAJ4A6FdAA6lDQCotqbEQxMAxjAQlKzHeotK5S1uxYkAFkXbQAJgENgX6CGxoACNIATloLyMTbHYPa20tAGFwEEhKPABBXl4Uox8QIkorDUhbe0d6EBNoC0gPMIionEDgIgdmAHJA7194oq0MjGBXJhAAL3zCuGZGJmKbO2g5NOYfHAihkfHJymgjIg8YAAovSjjI6JaiQTSASj6dPQNjGFgZyy1rUsW0j14iAR4YY+aC8JgMECHQJsTrdHxeCjUWjQBjMdpMLjcABmOKCHg8wgAkrthjBgEwvPVQIUvOBoAhBsNoEx0FhcNAscQSNZSej-C1nDAAERPQzVMwWJhCpQaDRiQXQDos-RiyAdfwk5wBPZedwhMIaXkwpiBeQCfyHdJgZQUY0AWgAfDE2mCiAAPBTCADiAFExNBnMBgLxsMIAPRhrFEIhKZ1KSBurySHKlfaSMOImh0WbQZ2g8EezE4rF4gnymAszA4PDa2lcurBSB5GHQXnwJAVKrrLws0EYIK5cAKRqXEAD0qyyjE1sK8mUsAFSi0+mM5zM1nVjlcuCIaAABQLw+1vKFyVS6WgWRyVR20sn+CILHb0BIMGcXkY0AjwBIRAj0DPNJMmyXIdlDaAhTzV0PSFCIzggvMvE2ICb1aKV7DlLVAm1EJm3cdsuk8HAQDkXYYUCPwhQ8AxxxRJDhlgnsjC1WgjGAQxSgoKDDztR1uPdT1mKbQQOUffMBNzZpFz2aNBFSChaTwahxI9SSYmk-Zrnk6Bc30FSFD4vT6MFK08jQ70-QDIMQ3DMNnTtYz40TZMoCUNMMyoLMURzRDkNMnxHyLXF8WEcsdyQVcULMsScJoNdeQ0U8UiAy8QNQxdGPgk9V0fbZqV2N4mFmO9NEoB8n13V8Aw-GBv1-f9AIvK9QPyij4Lqv8w0vTZcomfLpiK5hAg0XCkPcMBumI0j+QiCDqP7KA6M2RjjBYpt2JZJQyB0nTtp23zSX8tDeKdIy-NAaKmGEISjBEqMWGMqKApYdh1KmTS5MgPbdp2lFeCUtpHqOsTXuwDTZO037dMB87UMfR0iGM8TKkOK7fX9QNg1DCNEc2JRXRR5g3KIdMvjKaAvWjORFoZTYACZ93BQmmG+nbWZ0pFszRXGmQJyFOB4YtS1EMKebXPnUZm04IJy0Y+ukwriusc1eTnKlF2XWmmUrNk8E5Ugtqh6B2b+gGlt5pn+ZeqTChNnSxeRq2TodiXmFEY1oHkbDKBNk2Xct1HnaR12rr2Fk1nN8WA7RUHwa0r6jbtyPHcDhHg+j0OPa8bIme7JoYnXKtcBN35faN-2IUD06YcOi7ntEFl6hZNjoAAakk+DjN6nYZMOCgjYOky6+Oh0K+ZhuN3ZC5mlba40msI42AaIxkvSAB9SEuBX89gDX9gjBZPB267uWe-2Q5bjLqHOe8mOztruGMUF4KCR0begI3jwrFOOI39X3f96H2-r2ZYko1hxA0C4ee0stZrkangbO14zLSSOAIBcdYFD3A0JIU4GAMHrjkAEWgJp-DAHYOALEL4wBrhgauRmlciaTh0NOYY2o8juF5CHGalMiDU1KDoK+v0x5OzTpsFObtoCzBAFiYcJ88rg0OBoH+SwVgUmRNPAurQbg+3LunBhTBDI1yHo-UQGirjaMEfte+xjLqOmVM8EwE8i54A9ocXwIBwDYEsRzLyqIWD2NVEFEsIUwoBJeDNE8opwmK2YLBDQKtZwUnVjSOksDC66y3AbScAARSAvBfgNCmLyJia02IcSImDUiHBDRYRkhgcAcQQgzhgNgJMMBdTNO6sMbu-UYlMBlKVZhmo2G6jJAqMJ1RjwKmNIRfmVpgDKAEYnI2EzICGI2A-S67tHBEXcZ47x0MNk2OeidQeT1zKSOYNI4cHt3yBH2EwZueBIA4I8REfEyphqUBAPGew5FZpBAwGMMYWJIB1GJpITwJMvACAOYpSRtJITolZmc4GBj1lA2Ho+a64d1Gw0umpMG70IYJyhpATxMABD0ERXEY0JtUVYoMdwRuDpjSiAACwAAYADMEFiTUpSHEDIUQDDpCFCXM4e1S6-RRdY858Nq76Qnk3dabcO7nB6qffq59SU-SsS6HiirMUmPSZuMxs9tELyXpQcI7916bz2P-PeTZD5qrkfLYlF8Dk3z8Yc6CCggnCz-jvT+394LBo-oAyAwBgEwFAasWgEDKBQN2LQsR8CIhpWQVMVB3zQAYKwZQHBlA8HgCHAQohQ1SHkMoSQahcEVxiIPPogZCQWG1PYWMmAXCpmvF3JFNFSgllQ3pXKtFpyx2MtEFImRRyekKMgEo+C8a1HtPzuYtIo6jHyoMYq-1pj10Ws3csqG-EPQYvxfXU17JXHRphfsk9v0fU+UnY-QNISFTPgHYyiJCoRQ4Aca8d4UplaajJEkhcKTG3a0nnrLkraypiWfFVd8n4Or-iidUPpXzRotgmhUkiuxaxzRootMWK1mJgHWhxBDuT8lnEKWBiIq0qNlN7FCQj1T0gKllvIqYfS4JxF5JhoDg0WAaDyLsIgWJaC7CabyVpkgxlhAQ2FLEIATR4FWZJMTGpOk603Prbkv56lxFQzAEIaQNA8L4dAI4KbOkMsftexNnSZnYUtKABZtxDYjoHq+2xe7DzbLRG4+9XjH36v0hOg1AlhAzpuTsyofgMiJAADLet8S+2LhZn7BIJJ01LaWKK9iCF4G4cRARtAU3pf1OnKjVCUfcwo6m5CGB7upqAAoQRpEIbUEhxbS3lowLwHonFIs6Xhe6uosqcsGXWfusOkAI51djsS+OJcKU1BoHOuWM3-NzbtMyuorLHAcp5XyygAqkXCv2BgMVmXkS+rPQGng-AhCiFYYEbAIw8BGA00YDA+HeRRjLaQBojcNPrV879UupcyAvcdICZgS46SdkceuFVLcPatHq12aAvx-iAkzE9nMyOmCo7xyYd9ZZxmwalmD18HguAdLANVL5aYYBYnBJCvw6OYB1tYUx0Y4QABqe5EgIYQKSJgdb3B+AM+yNMDQsd4A0NzkmbmdkmYaY2dcAArdadQgA -->
+<!-- diagram source: http://sequencediagram.org/index.html#initialData=C4S2BsFMAIGVYPLQEqQI4FdIGdjQGLgD2A7gFBkB2RwMRAbpAE7QbbMA00AxAA4iUA1gC5oAFWYBbAUWIBzAJ4A6FdAA6lDQCotqbEQxMAxjAQlKzHeotK5S1uxYkAFkXbQAJgENgX6CGxoACNIATloLyMTbHYPa20tAGFwEEhKPABBXl4Uox8QIkorDUhbe0d6EBNoC0gPMIionEDgIgdmAHJA7194oq0MjGBXJhAAL3zCuGZGJmKbO2g5NOYfHAihkfHJymgjIg8YAAovSjjI6JaiQTSASj6dPQNjGFgZyy1rUsW0j14iAR4YY+aC8JgMECHQJsTrdHxeCjUWjQBjMdpMLjcABmOKCHg8wgAkrthjBgEwvPVQIUvOBoAhBsNoEx0FhcNAscQSNZSej-C1nDAAERPQzVMwWJhCpQaDRiQXQDos-RiyAdfwk5wBPZedwhMIaXkwpiBeQCfyHdJgZQUY0AWgAfDE2mCiAAPBTCADiAFExNBnMBgLxsMIAPRhrFEIhKZ1KSBurySHKlfaSMOImh0WbQZ2g8EezE4rF4gnymAszA4PDa2lcurBSB5GHQXnwJAVKrrLws0EYIK5cAKRqXEAD0qyyjE1sK8mUsAFSi0+mM5zM1nVjlcuCIaAABQLw+1vKFyVS6WgWRyVR20sn+CILHb0BIMGcXkY0AjwBIRAj0DPNJMmyXIdlDaAhTzV0PSFCIzggvMvE2ICb1aKV7DlLVAm1EJm3cdsuk8HAQDkXYYUCPwhQ8AxxxRJDhlgnsjC1WgjGAQxSgoKDDztR1uPdT1mKbQQOUffMBNzZpFz2aNBFSChaTwahxI9SSYmk-Zrnk6Bc30FSFD4vT6MFK08jQ70-QDIMQ3DMNnTtYz40TZMoCUNMMyoLMURzRDkNMnxHyLXF8WEcsdyQVcULMsScJoNdeQ0U8UiAy8QNQxdGPgk9V0fbZqV2N4mFmO9NEoB8n13V8Aw-GBv1-f9AIvK9QPyij4Lqv8w0vTZcomfLpiK5hAg0XCkPcMBumI0j+QiCDqP7KA6M2RjjBYpt2JZJQyB0nTtp23zSX8tDeKdIy-NAaKmGEISjBEqMWGMqKApYdh1KmTS5MgPbdp2lFeCUtpHqOsTXuwDTZO037dMB87UMfR0iGM8TKkOK7fX9QNg1DCNEc2JRXRR5g3KIdMvjKaAvWjORFoZTYACZ93BQmmG+nbWZ0pFszRXGmQJyFOB4YtS1EMKebXPnUZm04IJy0Y+ukwriusc1eTnKlF2XWmmUrNk8E5Ugtqh6B2b+gGlt5pn+ZeqTChNnSxeRq2TodiXmFEY1oHkbDKBNk2Xct1HnaR12rr2Fk1nN8WA7RUHwa0r6jbtyPHcDhHg+j0OPa8bIme7JoYnXKtcBN35faN-2IUD06YcOi7ntEFl6hZNjoAAakk+DjN6nYZMOCgjYOky6+Oh0K+ZhuN3ZC5mlba40msI42AaIxkvSAB9SEuBX89gDX9gjBZPB267uWe-2Q5bjLqHOe8mOztruGMUF4KCR0begI3jwrFOOI39X3f96H2-r2ZYko1hxA0C4ee0stZrkangbO14zLSSOAIBcdYFD3A0JIU4GAMHrjkAEWgJp-DAHYOALEL4wBrhgauRmlciaTh0NOYY2o8juF5CHGalMiDU1KDoK+v0x5OzTpsFObtoCzBAFiYcJ88rg0OBoH+SwVgUmRNPAurQbg+3LunBhTBDI1yHo-UQGirjaMEfte+xjLqOmVM8EwE8i54A9ocXwIBwDYEsRzLyqIWD2NVEFEsIUwoBJeDNE8opwmK2YLBDQKtZwUnVjSOksDC66y3AbScAARSAvBfgNCmLyJia02IcSImDUiHBDRYRkhgcAcQQgzhgNgJMMBdTNO6sMbu-UYlMBlKVZhmo2G6jJAqMJ1RjwKmNIRfmVpgDKAEYnI2EzICGI2A-S67tHBEXcZ47x0MNk2OeidQeT1zKSOYNI4cHt3yBH2EwZueBIA4I8REfEyphqUBAPGew5FZpBAwGMMYWJIB1GJpITwJMvACAOYpSRtJITolZmc4GBj1lA2Ho+a64d1Gw0umpMG70IYJyhpATxMABD0ERXEY0JtUVYoMdwRuDpjSiAACwAAYADMEFiTUpSHEDIUQDDpCFCXM4e1S6-RRdY858Nq76Qnk3dabcO7nB6qffq59SU-SsS6HiirMUmPSZuMxs9tELyXpQcI7916bz2P-PeTZD5qrkfLYlF8Dk3z8Yc6CCggnCz-jvT+394LBo-oAyAwBgEwFAasWgEDKBQN2LQsR8CIhpWQVMVB3zQAYKwZQHBlA8HgCHAQohQ1SHkMoSQahcEVxiIPPogZCQWG1PYWMmAXCpmvF3JFNFSgllQ3pXKtFpyx2MtEFImRRyekKMgEo+C8a1HtPzuYtIo6jHyoMYq-1pj10Ws3csqG-EPQYvxfXU17JXHRphfsk9v0fU+UnY-QNISFTPgHYyiJCoRQ4Aca8d4UplaajJEkhcKTG3a0nnrLkraypiWfFVd8n4Or-iidUPpXzRotgmhUkiuxaxzRootMWK1mJgHWhxBDuT8lnEKWBiIq0qNlN7FCQj1T0gKllvIqYfS4JxF5JhoDg0WAaDyLsIgWJaC7CabyVpkgxlhAQ2FLEIATR4FWZJMTGpOk603Prbkv56lxFQzAEIaQNA8L4dAI4KbOkMsftexNnSZnYUtKABZtxDYjoHq+2xe7DzbLRG4+9XjH36v0hOg1AlhAzpuTsyofgMiJAADLet8S+2LhZn7BIJJ01LaWKK9iCF4G4cRARtAU3pf1OnKjVCUfcwo6m5CGB7upqAAoQRpEIbUEhxbS3lowLwHonFIs6Xhe6uosqcsGXWfusOkAI51djsS+OJcKU1BoHOuWM3-NzbtMyuorLHAcp5XyygAqkXCv2BgMVmXkS+rPQGng-AhCiFYYEbAIw8BGA00YDA+HeRRjLaQBojcNPrV879UupcyAvcdICZgS46SdkceuFVLcPatHq12aAvx-iAkzE9nMyOmCo7xyYd9ZZxmwalmD18HguAdLANVL5aYYBYnBJCvw6OYB1tYUx0Y4QABqe5EgIYQKSJgdb3B+AM+yNMDQsd4A0NzkmbmdkmYaY2dcAArdadQgA -->

internal/auth/authenticator.go

@@ -20,8 +20,6 @@ import (
 
 // Authenticator stores all the information associated with proxying the request.
 type Authenticator struct {
-	Validator        func(string) bool
-	EmailDomains     []string
 	ProxyRootDomains []string
 	Host             string
 	Scheme           string
@@ -80,7 +78,6 @@ func NewAuthenticator(config Configuration, optionFuncs ...func(*Authenticator)
 	p := &Authenticator{
 		ProxyClientID:     config.ClientConfigs["proxy"].ID,
 		ProxyClientSecret: config.ClientConfigs["proxy"].Secret,
-		EmailDomains:      config.AuthorizeConfig.EmailConfig.Domains,
 		Host:              config.ServerConfig.Host,
 		Scheme:            config.ServerConfig.Scheme,
 
@@ -127,7 +124,6 @@ func (p *Authenticator) GetRedirectURI(host string) string {
 type signInResp struct {
 	ProviderSlug string
 	ProviderName string
-	EmailDomains []string
 	Redirect     string
 	Destination  string
 	Version      string
@@ -155,7 +151,6 @@ func (p *Authenticator) SignInPage(rw http.ResponseWriter, req *http.Request, co
 	t := signInResp{
 		ProviderName: p.provider.Data().ProviderName,
 		ProviderSlug: p.provider.Data().ProviderSlug,
-		EmailDomains: p.EmailDomains,
 		Redirect:     redirectURL.String(),
 		Destination:  destinationURL.Host,
 		Version:      VERSION,
@@ -225,11 +220,6 @@ func (p *Authenticator) authenticate(rw http.ResponseWriter, req *http.Request)
 		}
 	}
 
-	if !p.Validator(session.Email) {
-		logger.WithUser(session.Email).Error("invalid email user")
-		return nil, ErrUserNotAuthorized
-	}
-
 	return session, nil
 }
 
@@ -569,17 +559,6 @@ func (p *Authenticator) getOAuthCallback(rw http.ResponseWriter, req *http.Reque
 		return "", HTTPError{Code: http.StatusForbidden, Message: "Invalid Redirect URI"}
 	}
 
-	// Set cookie, or deny: The authenticator validates the session email and group
-	// - for p.Validator see validator.go#newValidatorImpl for more info
-	// - for p.provider.ValidateGroup see providers/google.go#ValidateGroup for more info
-	if !p.Validator(session.Email) {
-		tags := append(tags, "error:invalid_email")
-		p.StatsdClient.Incr("application_error", tags, 1.0)
-		logger.WithRemoteAddress(remoteAddr).WithUser(session.Email).Error(
-			"invalid_email", "permission denied; unauthorized user")
-		return "", HTTPError{Code: http.StatusForbidden, Message: "Invalid Account"}
-	}
-
 	logger.WithRemoteAddress(remoteAddr).WithUser(session.Email).Info("authentication complete")
 	err = p.sessionStore.SaveSession(rw, req, session)
 	if err != nil {

internal/auth/authenticator_test.go

@@ -66,13 +66,6 @@ func setTestProvider(provider *providers.TestProvider) func(*Authenticator) erro
 	}
 }
 
-func setMockValidator(response bool) func(*Authenticator) error {
-	return func(a *Authenticator) error {
-		a.Validator = func(string) bool { return response }
-		return nil
-	}
-}
-
 func setRedirectURL(redirectURL *url.URL) func(*Authenticator) error {
 	return func(a *Authenticator) error {
 		a.redirectURL = redirectURL
@@ -139,7 +132,6 @@ func TestSignIn(t *testing.T) {
 		mockAuthCodeCipher     *aead.MockCipher
 		refreshResponse        providerRefreshResponse
 		providerValidToken     bool
-		validEmail             bool
 		expectedSignInPage     bool
 		expectedDestinationURL string
 		expectedCode           int
@@ -242,23 +234,6 @@ func TestSignIn(t *testing.T) {
 			expectedCode:          http.StatusInternalServerError,
 			expectedErrorResponse: &errResponse{"save error"},
 		},
-		{
-			name: "refresh period expired, successful refresh, invalid email",
-			mockSessionStore: &sessions.MockSessionStore{
-				Session: &sessions.SessionState{
-					Email:            "email",
-					AccessToken:      "accesstoken",
-					RefreshToken:     "refresh",
-					LifetimeDeadline: time.Now().Add(time.Hour),
-					RefreshDeadline:  time.Now().Add(-time.Hour),
-				},
-			},
-			refreshResponse: providerRefreshResponse{
-				OK: true,
-			},
-			expectedCode:          http.StatusUnauthorized,
-			expectedErrorResponse: &errResponse{ErrUserNotAuthorized.Error()},
-		},
 		{
 			name: "valid session state, save session error",
 			mockSessionStore: &sessions.MockSessionStore{
@@ -276,7 +251,7 @@ func TestSignIn(t *testing.T) {
 			expectedErrorResponse: &errResponse{"save error"},
 		},
 		{
-			name: "invalid session state, invalid email",
+			name: "invalid session state",
 			mockSessionStore: &sessions.MockSessionStore{
 				Session: &sessions.SessionState{
 					Email:            "email",
@@ -303,7 +278,6 @@ func TestSignIn(t *testing.T) {
 			refreshResponse: providerRefreshResponse{
 				OK: true,
 			},
-			validEmail:            true,
 			expectedCode:          http.StatusForbidden,
 			expectedErrorResponse: &errResponse{"no state parameter supplied"},
 		},
@@ -324,7 +298,6 @@ func TestSignIn(t *testing.T) {
 			refreshResponse: providerRefreshResponse{
 				OK: true,
 			},
-			validEmail:            true,
 			expectedCode:          http.StatusForbidden,
 			expectedErrorResponse: &errResponse{"no redirect_uri parameter supplied"},
 		},
@@ -346,7 +319,6 @@ func TestSignIn(t *testing.T) {
 			refreshResponse: providerRefreshResponse{
 				OK: true,
 			},
-			validEmail:            true,
 			expectedCode:          http.StatusBadRequest,
 			expectedErrorResponse: &errResponse{"malformed redirect_uri parameter passed"},
 		},
@@ -371,7 +343,6 @@ func TestSignIn(t *testing.T) {
 			mockAuthCodeCipher: &aead.MockCipher{
 				MarshalError: fmt.Errorf("error marshal"),
 			},
-			validEmail:            true,
 			expectedCode:          http.StatusInternalServerError,
 			expectedErrorResponse: &errResponse{"error marshal"},
 		},
@@ -396,7 +367,6 @@ func TestSignIn(t *testing.T) {
 			mockAuthCodeCipher: &aead.MockCipher{
 				MarshalString: "abcdefg",
 			},
-			validEmail:   true,
 			expectedCode: http.StatusFound,
 		},
 		{
@@ -414,7 +384,6 @@ func TestSignIn(t *testing.T) {
 				"state":        "state",
 				"redirect_uri": "http://foo.example.com",
 			},
-			validEmail:         true,
 			providerValidToken: true,
 			mockAuthCodeCipher: &aead.MockCipher{
 				MarshalString: "abcdefg",
@@ -428,7 +397,6 @@ func TestSignIn(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			config := testConfiguration(t)
 			auth, err := NewAuthenticator(config,
-				setMockValidator(tc.validEmail),
 				setMockSessionStore(tc.mockSessionStore),
 				setMockTempl(),
 				setMockRedirectURL(),
@@ -463,7 +431,6 @@ func TestSignIn(t *testing.T) {
 				expectedSignInResp := &signInResp{
 					ProviderName: provider.Data().ProviderName,
 					ProviderSlug: "test",
-					EmailDomains: auth.EmailDomains,
 					Redirect:     u.String(),
 					Destination:  tc.expectedDestinationURL,
 					Version:      VERSION,
@@ -575,7 +542,6 @@ func TestSignOutPage(t *testing.T) {
 			provider.RevokeError = tc.RevokeError
 
 			p, _ := NewAuthenticator(config,
-				setMockValidator(true),
 				setMockSessionStore(tc.mockSessionStore),
 				setMockTempl(),
 				setTestProvider(provider),
@@ -951,9 +917,7 @@ func TestGetProfile(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			config := testConfiguration(t)
-			p, _ := NewAuthenticator(config,
-				setMockValidator(true),
-			)
+			p, _ := NewAuthenticator(config)
 			u, _ := url.Parse("http://example.com")
 			testProvider := providers.NewTestProvider(u)
 			testProvider.Groups = tc.groupEmails
@@ -1053,9 +1017,7 @@ func TestRedeemCode(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			config := testConfiguration(t)
 
-			proxy, _ := NewAuthenticator(config,
-				setMockValidator(true),
-			)
+			proxy, _ := NewAuthenticator(config)
 
 			testURL, err := url.Parse("example.com")
 			if err != nil {
@@ -1224,7 +1186,6 @@ func TestOAuthCallback(t *testing.T) {
 		paramsMap          map[string]string
 		expectedError      error
 		testRedeemResponse testRedeemResponse
-		validEmail         bool
 		csrfResp           *sessions.MockCSRFStore
 		sessionStore       *sessions.MockSessionStore
 		expectedRedirect   string
@@ -1340,29 +1301,6 @@ func TestOAuthCallback(t *testing.T) {
 			},
 			expectedError: HTTPError{Code: http.StatusForbidden, Message: "csrf failed"},
 		},
-
-		{
-			name: "invalid email address",
-			paramsMap: map[string]string{
-				"code":  "authCode",
-				"state": base64.URLEncoding.EncodeToString([]byte("state:http://www.example.com/something")),
-			},
-			testRedeemResponse: testRedeemResponse{
-				SessionState: &sessions.SessionState{
-					Email:           "example@email.com",
-					AccessToken:     "accessToken",
-					RefreshDeadline: time.Now().Add(time.Hour),
-					RefreshToken:    "refresh",
-				},
-			},
-			csrfResp: &sessions.MockCSRFStore{
-				Cookie: &http.Cookie{
-					Name:  "something_csrf",
-					Value: "state",
-				},
-			},
-			expectedError: HTTPError{Code: http.StatusForbidden, Message: "Invalid Account"},
-		},
 		{
 			name: "valid email, invalid redirect",
 			paramsMap: map[string]string{
@@ -1383,7 +1321,6 @@ func TestOAuthCallback(t *testing.T) {
 					Value: "state",
 				},
 			},
-			validEmail:    true,
 			expectedError: HTTPError{Code: http.StatusForbidden, Message: "Invalid Redirect URI"},
 		},
 		{
@@ -1409,7 +1346,6 @@ func TestOAuthCallback(t *testing.T) {
 			sessionStore: &sessions.MockSessionStore{
 				SaveError: fmt.Errorf("saveError"),
 			},
-			validEmail:    true,
 			expectedError: HTTPError{Code: http.StatusInternalServerError, Message: "Internal Error"},
 		},
 		{
@@ -1433,7 +1369,6 @@ func TestOAuthCallback(t *testing.T) {
 				},
 			},
 			sessionStore:     &sessions.MockSessionStore{},
-			validEmail:       true,
 			expectedRedirect: "http://www.example.com/something",
 		},
 	}
@@ -1442,7 +1377,6 @@ func TestOAuthCallback(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			config := testConfiguration(t)
 			proxy, _ := NewAuthenticator(config,
-				setMockValidator(tc.validEmail),
 				setMockCSRFStore(tc.csrfResp),
 				setMockSessionStore(tc.sessionStore),
 			)
@@ -1563,7 +1497,6 @@ func TestOAuthStart(t *testing.T) {
 			provider := providers.NewTestProvider(nil)
 			proxy, _ := NewAuthenticator(config,
 				setTestProvider(provider),
-				setMockValidator(true),
 				setMockRedirectURL(),
 				setMockCSRFStore(&sessions.MockCSRFStore{}),
 			)

internal/auth/configuration.go

@@ -99,10 +99,6 @@ func DefaultAuthConfig() Configuration {
 		},
 		// we provide no defaults for these right now
 		AuthorizeConfig: AuthorizeConfig{
-			EmailConfig: EmailConfig{
-				Domains:   []string{},
-				Addresses: []string{},
-			},
 			ProxyConfig: ProxyConfig{
 				Domains: []string{},
 			},
@@ -120,7 +116,6 @@ var (
 	_ Validator = ProviderConfig{}
 	_ Validator = ClientConfig{}
 	_ Validator = AuthorizeConfig{}
-	_ Validator = EmailConfig{}
 	_ Validator = ProxyConfig{}
 	_ Validator = ServerConfig{}
 	_ Validator = MetricsConfig{}
@@ -402,39 +397,17 @@ func (cc ClientConfig) Validate() error {
 }
 
 type AuthorizeConfig struct {
-	EmailConfig EmailConfig `mapstructure:"email"`
 	ProxyConfig ProxyConfig `mapstructure:"proxy"`
 }
 
 func (ac AuthorizeConfig) Validate() error {
-	if err := ac.EmailConfig.Validate(); err != nil {
-		return xerrors.Errorf("invalid authorize.email config: %w", err)
-	}
-
 	if err := ac.ProxyConfig.Validate(); err != nil {
 		return xerrors.Errorf("invalid authorize.proxy config: %w", err)
 	}
 
 	return nil
 }
 
-type EmailConfig struct {
-	Domains   []string `mapstructure:"domains"`
-	Addresses []string `mapstructure:"addresses"`
-}
-
-func (ec EmailConfig) Validate() error {
-	if len(ec.Domains) > 0 && len(ec.Addresses) > 0 {
-		return xerrors.New("can not specify both email.domains and email.addesses")
-	}
-
-	if len(ec.Domains) == 0 && len(ec.Addresses) == 0 {
-		return xerrors.New("must specify either email.domains or email.addresses")
-	}
-
-	return nil
-}
-
 type ProxyConfig struct {
 	Domains []string `mapstructure:"domains"`
 }