Allow existing users to login via OpenID Connect. (#8345)
Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
This commit is contained in:
parent
3e87d79e1c
commit
abd04b6af0
|
@ -0,0 +1 @@
|
|||
Add a configuration option that allows existing users to log in with OpenID Connect. Contributed by @BBBSnowball and @OmmyZhang.
|
|
@ -1689,6 +1689,11 @@ oidc_config:
|
|||
#
|
||||
#skip_verification: true
|
||||
|
||||
# Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
|
||||
# of failing. This could be used if switching from password logins to OIDC. Defaults to false.
|
||||
#
|
||||
#allow_existing_users: true
|
||||
|
||||
# An external module can be provided here as a custom solution to mapping
|
||||
# attributes returned from a OIDC provider onto a matrix user.
|
||||
#
|
||||
|
|
|
@ -56,6 +56,7 @@ class OIDCConfig(Config):
|
|||
self.oidc_userinfo_endpoint = oidc_config.get("userinfo_endpoint")
|
||||
self.oidc_jwks_uri = oidc_config.get("jwks_uri")
|
||||
self.oidc_skip_verification = oidc_config.get("skip_verification", False)
|
||||
self.oidc_allow_existing_users = oidc_config.get("allow_existing_users", False)
|
||||
|
||||
ump_config = oidc_config.get("user_mapping_provider", {})
|
||||
ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)
|
||||
|
@ -158,6 +159,11 @@ class OIDCConfig(Config):
|
|||
#
|
||||
#skip_verification: true
|
||||
|
||||
# Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
|
||||
# of failing. This could be used if switching from password logins to OIDC. Defaults to false.
|
||||
#
|
||||
#allow_existing_users: true
|
||||
|
||||
# An external module can be provided here as a custom solution to mapping
|
||||
# attributes returned from a OIDC provider onto a matrix user.
|
||||
#
|
||||
|
|
|
@ -114,6 +114,7 @@ class OidcHandler:
|
|||
hs.config.oidc_user_mapping_provider_config
|
||||
) # type: OidcMappingProvider
|
||||
self._skip_verification = hs.config.oidc_skip_verification # type: bool
|
||||
self._allow_existing_users = hs.config.oidc_allow_existing_users # type: bool
|
||||
|
||||
self._http_client = hs.get_proxied_http_client()
|
||||
self._auth_handler = hs.get_auth_handler()
|
||||
|
@ -849,7 +850,8 @@ class OidcHandler:
|
|||
If we don't find the user that way, we should register the user,
|
||||
mapping the localpart and the display name from the UserInfo.
|
||||
|
||||
If a user already exists with the mxid we've mapped, raise an exception.
|
||||
If a user already exists with the mxid we've mapped and allow_existing_users
|
||||
is disabled, raise an exception.
|
||||
|
||||
Args:
|
||||
userinfo: an object representing the user
|
||||
|
@ -905,13 +907,24 @@ class OidcHandler:
|
|||
|
||||
localpart = map_username_to_mxid_localpart(attributes["localpart"])
|
||||
|
||||
user_id = UserID(localpart, self._hostname)
|
||||
if await self._datastore.get_users_by_id_case_insensitive(user_id.to_string()):
|
||||
# This mxid is taken
|
||||
user_id = UserID(localpart, self._hostname).to_string()
|
||||
users = await self._datastore.get_users_by_id_case_insensitive(user_id)
|
||||
if users:
|
||||
if self._allow_existing_users:
|
||||
if len(users) == 1:
|
||||
registered_user_id = next(iter(users))
|
||||
elif user_id in users:
|
||||
registered_user_id = user_id
|
||||
else:
|
||||
raise MappingException(
|
||||
"mxid '{}' is already taken".format(user_id.to_string())
|
||||
"Attempted to login as '{}' but it matches more than one user inexactly: {}".format(
|
||||
user_id, list(users.keys())
|
||||
)
|
||||
|
||||
)
|
||||
else:
|
||||
# This mxid is taken
|
||||
raise MappingException("mxid '{}' is already taken".format(user_id))
|
||||
else:
|
||||
# It's the first time this user is logging in and the mapped mxid was
|
||||
# not taken, register the user
|
||||
registered_user_id = await self._registration_handler.register_user(
|
||||
|
@ -919,7 +932,6 @@ class OidcHandler:
|
|||
default_display_name=attributes["display_name"],
|
||||
user_agent_ips=(user_agent, ip_address),
|
||||
)
|
||||
|
||||
await self._datastore.record_user_external_id(
|
||||
self._auth_provider_id, remote_user_id, registered_user_id,
|
||||
)
|
||||
|
|
|
@ -393,7 +393,7 @@ class RegistrationWorkerStore(SQLBaseStore):
|
|||
|
||||
async def get_user_by_external_id(
|
||||
self, auth_provider: str, external_id: str
|
||||
) -> str:
|
||||
) -> Optional[str]:
|
||||
"""Look up a user by their external auth id
|
||||
|
||||
Args:
|
||||
|
@ -401,7 +401,7 @@ class RegistrationWorkerStore(SQLBaseStore):
|
|||
external_id: id on that system
|
||||
|
||||
Returns:
|
||||
str|None: the mxid of the user, or None if they are not known
|
||||
the mxid of the user, or None if they are not known
|
||||
"""
|
||||
return await self.db_pool.simple_select_one_onecol(
|
||||
table="user_external_ids",
|
||||
|
|
|
@ -617,3 +617,38 @@ class OidcHandlerTestCase(HomeserverTestCase):
|
|||
)
|
||||
)
|
||||
self.assertEqual(mxid, "@test_user_2:test")
|
||||
|
||||
# Test if the mxid is already taken
|
||||
store = self.hs.get_datastore()
|
||||
user3 = UserID.from_string("@test_user_3:test")
|
||||
self.get_success(
|
||||
store.register_user(user_id=user3.to_string(), password_hash=None)
|
||||
)
|
||||
userinfo = {"sub": "test3", "username": "test_user_3"}
|
||||
e = self.get_failure(
|
||||
self.handler._map_userinfo_to_user(
|
||||
userinfo, token, "user-agent", "10.10.10.10"
|
||||
),
|
||||
MappingException,
|
||||
)
|
||||
self.assertEqual(str(e.value), "mxid '@test_user_3:test' is already taken")
|
||||
|
||||
@override_config({"oidc_config": {"allow_existing_users": True}})
|
||||
def test_map_userinfo_to_existing_user(self):
|
||||
"""Existing users can log in with OpenID Connect when allow_existing_users is True."""
|
||||
store = self.hs.get_datastore()
|
||||
user4 = UserID.from_string("@test_user_4:test")
|
||||
self.get_success(
|
||||
store.register_user(user_id=user4.to_string(), password_hash=None)
|
||||
)
|
||||
userinfo = {
|
||||
"sub": "test4",
|
||||
"username": "test_user_4",
|
||||
}
|
||||
token = {}
|
||||
mxid = self.get_success(
|
||||
self.handler._map_userinfo_to_user(
|
||||
userinfo, token, "user-agent", "10.10.10.10"
|
||||
)
|
||||
)
|
||||
self.assertEqual(mxid, "@test_user_4:test")
|
||||
|
|
Loading…
Reference in New Issue