feat(sso): support wildcard email domains for OIDC

[IgorHorta]

Context

OIDC SSO only supported exact domain matches for allowed email domains. Admins had to list every subdomain (e.g. team.acme.com, eng.acme.com) individually.

This change adds wildcard support so *.acme.com matches any subdomain and *.infisical matches infisical.com, br.infisical.com, team.infisical.ai, etc.

Closes PLATFRM-202

Screenshots

N/A – backend validation change; minor UI label/placeholder updates.

Steps to verify the change

1. Configure OIDC SSO with Allowed Email Domains: *.infisical.com or *.infisical
2. Log in with an Okta user whose email matches (e.g. user@br.infisical.com)
3. Confirm login succeeds; confirm user@evil.com is rejected

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: feat(sso): support wildcard email domains for OIDC
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[linear]

PLATFRM-202 Support wildcard email domains for SSO in Infisical

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds wildcard support for OIDC allowed email domains by introducing a shared matchesAllowedEmailDomain helper and switching OIDC login enforcement to use it, plus updating UI copy, docs, and API docs strings to document the new wildcard format.

Main concern is the new matcher’s wildcard logic: *.suffix currently matches domains where suffix is merely a prefix (e.g. example.com.evil), which can bypass the intended allow-list and allow unauthorized emails to authenticate when an org relies on allowedEmailDomains restrictions. Also, the matcher introduces a new native regex split which conflicts with the repo’s “use re2 for regex” guideline.

Confidence Score: 2/5

• Not safe to merge until wildcard matching is tightened to prevent unintended domain allow-list bypasses.
• The new email-domain matcher is security-sensitive and currently overmatches wildcard patterns by accepting suffix.* domains (e.g. example.com.evil) for allow-list entries like *.example.com, which can allow unauthorized OIDC logins. Other changes are documentation/UI copy updates.
• backend/src/lib/validator/email-domain-matcher.ts, backend/src/ee/services/oidc/oidc-config-service.ts

Important Files Changed

Filename	Overview
backend/src/lib/validator/email-domain-matcher.ts	Introduces domain matching helper with wildcard support, but uses native regex split and wildcard logic accepts invalid/overbroad matches (e.g., suffix treated as prefix) leading to unintended allow-list bypasses.
backend/src/ee/services/oidc/oidc-config-service.ts	Switches OIDC allowed-domain enforcement to shared matcher helper; correctness now depends on matcher behavior (currently overly permissive for wildcard patterns).
backend/src/lib/api-docs/constants.ts	Updates API docs strings to mention wildcard support for allowedEmailDomains; no functional code changes.
docs/documentation/platform/sso/general-oidc/overview.mdx	Docs updated to mention wildcard allowed email domains; no issues spotted.
docs/documentation/platform/sso/okta-oidc.mdx	Docs updated to mention wildcard allowed email domains; no issues spotted.
frontend/src/pages/organization/SettingsPage/components/OrgSsoTab/OIDCModal.tsx	UI label/placeholder updated to mention wildcard support; no functional changes.

[greptile-apps]

_{6 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[victorvhs017]

Tested and it works great!