From 11f171d19a347477b00f1c41cd78830a66f8af22 Mon Sep 17 00:00:00 2001
From: slewis74 <slewis74@gmail.com>
Date: Thu, 27 May 2021 09:07:30 +1000
Subject: [PATCH] If a user can't be found by identity, fall back to checking
 Email address. Server can't do this for us in `GetByIdentity` because OnPrem
 AD scenarios would then break.

---
 .../Web/UserAuthenticatedAction.cs                         | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source/Server.OpenIDConnect.Common/Web/UserAuthenticatedAction.cs b/source/Server.OpenIDConnect.Common/Web/UserAuthenticatedAction.cs
index f2852de..6965f0a 100644
--- a/source/Server.OpenIDConnect.Common/Web/UserAuthenticatedAction.cs
+++ b/source/Server.OpenIDConnect.Common/Web/UserAuthenticatedAction.cs
@@ -198,6 +198,13 @@ IResultFromExtension<IUser> GetOrCreateUser(UserResource userResource, string[]
                 throw new Exception("There are multiple users with this identity. OpenID Connect identity providers do not support users with duplicate email addresses. Please remove any duplicate users, or make the email addresses unique.");
             var user = matchingUsers.SingleOrDefault();
 
+            if (user == null)
+            {
+                var emailAddress = identityToMatch.Claims[ClaimDescriptor.EmailClaimType].Value;
+                if (!string.IsNullOrWhiteSpace(emailAddress))
+                    user = userStore.GetByEmailAddress(emailAddress).FirstOrDefault();
+            }
+
             if (user != null)
             {
                 userStore.SetSecurityGroupIds(ProviderName, user.Id, groups, clock.GetUtcTime());