When a user selects ‘GitHub’ as the auth provider for logging in, and they have multiple email addresses in their GitHub profile, are all of those addresses provided to Discourse (or only the primary address)? If all the addresses are provided, does Discourse then search for an account matching any one of them?
I’m pretty sure that it uses only the one listed as ‘public email’.
Yes that is how it works, we even respect email whitelists and blacklists
OK, so here’s my situation: I have a blacklist with one domain on it, but we also have a custom authenticator plugin which is allowed to authenticate users with addresses in that domain. What I want to avoid is a user creating an account using an address from the special domain (using our custom authenticator to do so), but then later using GitHub login with that email address as one of their addresses. I haven’t read the code in the link above, but I believe that our desired behavior should work, as GitHubAuthenticator should reject the login if any address provided by github.com is in a blacklist domain.