Allow existing users to login via OpenID Connect. (#8345)
Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.pull/8405/head
							parent
							
								
									3e87d79e1c
								
							
						
					
					
						commit
						abd04b6af0
					
				|  | @ -0,0 +1 @@ | |||
| Add a configuration option that allows existing users to log in with OpenID Connect. Contributed by @BBBSnowball and @OmmyZhang. | ||||
|  | @ -1689,6 +1689,11 @@ oidc_config: | |||
|   # | ||||
|   #skip_verification: true | ||||
| 
 | ||||
|   # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead | ||||
|   # of failing. This could be used if switching from password logins to OIDC. Defaults to false. | ||||
|   # | ||||
|   #allow_existing_users: true | ||||
| 
 | ||||
|   # An external module can be provided here as a custom solution to mapping | ||||
|   # attributes returned from a OIDC provider onto a matrix user. | ||||
|   # | ||||
|  |  | |||
|  | @ -56,6 +56,7 @@ class OIDCConfig(Config): | |||
|         self.oidc_userinfo_endpoint = oidc_config.get("userinfo_endpoint") | ||||
|         self.oidc_jwks_uri = oidc_config.get("jwks_uri") | ||||
|         self.oidc_skip_verification = oidc_config.get("skip_verification", False) | ||||
|         self.oidc_allow_existing_users = oidc_config.get("allow_existing_users", False) | ||||
| 
 | ||||
|         ump_config = oidc_config.get("user_mapping_provider", {}) | ||||
|         ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER) | ||||
|  | @ -158,6 +159,11 @@ class OIDCConfig(Config): | |||
|           # | ||||
|           #skip_verification: true | ||||
| 
 | ||||
|           # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead | ||||
|           # of failing. This could be used if switching from password logins to OIDC. Defaults to false. | ||||
|           # | ||||
|           #allow_existing_users: true | ||||
| 
 | ||||
|           # An external module can be provided here as a custom solution to mapping | ||||
|           # attributes returned from a OIDC provider onto a matrix user. | ||||
|           # | ||||
|  |  | |||
|  | @ -114,6 +114,7 @@ class OidcHandler: | |||
|             hs.config.oidc_user_mapping_provider_config | ||||
|         )  # type: OidcMappingProvider | ||||
|         self._skip_verification = hs.config.oidc_skip_verification  # type: bool | ||||
|         self._allow_existing_users = hs.config.oidc_allow_existing_users  # type: bool | ||||
| 
 | ||||
|         self._http_client = hs.get_proxied_http_client() | ||||
|         self._auth_handler = hs.get_auth_handler() | ||||
|  | @ -849,7 +850,8 @@ class OidcHandler: | |||
|         If we don't find the user that way, we should register the user, | ||||
|         mapping the localpart and the display name from the UserInfo. | ||||
| 
 | ||||
|         If a user already exists with the mxid we've mapped, raise an exception. | ||||
|         If a user already exists with the mxid we've mapped and allow_existing_users | ||||
|         is disabled, raise an exception. | ||||
| 
 | ||||
|         Args: | ||||
|             userinfo: an object representing the user | ||||
|  | @ -905,21 +907,31 @@ class OidcHandler: | |||
| 
 | ||||
|         localpart = map_username_to_mxid_localpart(attributes["localpart"]) | ||||
| 
 | ||||
|         user_id = UserID(localpart, self._hostname) | ||||
|         if await self._datastore.get_users_by_id_case_insensitive(user_id.to_string()): | ||||
|             # This mxid is taken | ||||
|             raise MappingException( | ||||
|                 "mxid '{}' is already taken".format(user_id.to_string()) | ||||
|         user_id = UserID(localpart, self._hostname).to_string() | ||||
|         users = await self._datastore.get_users_by_id_case_insensitive(user_id) | ||||
|         if users: | ||||
|             if self._allow_existing_users: | ||||
|                 if len(users) == 1: | ||||
|                     registered_user_id = next(iter(users)) | ||||
|                 elif user_id in users: | ||||
|                     registered_user_id = user_id | ||||
|                 else: | ||||
|                     raise MappingException( | ||||
|                         "Attempted to login as '{}' but it matches more than one user inexactly: {}".format( | ||||
|                             user_id, list(users.keys()) | ||||
|                         ) | ||||
|                     ) | ||||
|             else: | ||||
|                 # This mxid is taken | ||||
|                 raise MappingException("mxid '{}' is already taken".format(user_id)) | ||||
|         else: | ||||
|             # It's the first time this user is logging in and the mapped mxid was | ||||
|             # not taken, register the user | ||||
|             registered_user_id = await self._registration_handler.register_user( | ||||
|                 localpart=localpart, | ||||
|                 default_display_name=attributes["display_name"], | ||||
|                 user_agent_ips=(user_agent, ip_address), | ||||
|             ) | ||||
| 
 | ||||
|         # It's the first time this user is logging in and the mapped mxid was | ||||
|         # not taken, register the user | ||||
|         registered_user_id = await self._registration_handler.register_user( | ||||
|             localpart=localpart, | ||||
|             default_display_name=attributes["display_name"], | ||||
|             user_agent_ips=(user_agent, ip_address), | ||||
|         ) | ||||
| 
 | ||||
|         await self._datastore.record_user_external_id( | ||||
|             self._auth_provider_id, remote_user_id, registered_user_id, | ||||
|         ) | ||||
|  |  | |||
|  | @ -393,7 +393,7 @@ class RegistrationWorkerStore(SQLBaseStore): | |||
| 
 | ||||
|     async def get_user_by_external_id( | ||||
|         self, auth_provider: str, external_id: str | ||||
|     ) -> str: | ||||
|     ) -> Optional[str]: | ||||
|         """Look up a user by their external auth id | ||||
| 
 | ||||
|         Args: | ||||
|  | @ -401,7 +401,7 @@ class RegistrationWorkerStore(SQLBaseStore): | |||
|             external_id: id on that system | ||||
| 
 | ||||
|         Returns: | ||||
|             str|None: the mxid of the user, or None if they are not known | ||||
|             the mxid of the user, or None if they are not known | ||||
|         """ | ||||
|         return await self.db_pool.simple_select_one_onecol( | ||||
|             table="user_external_ids", | ||||
|  |  | |||
|  | @ -617,3 +617,38 @@ class OidcHandlerTestCase(HomeserverTestCase): | |||
|             ) | ||||
|         ) | ||||
|         self.assertEqual(mxid, "@test_user_2:test") | ||||
| 
 | ||||
|         # Test if the mxid is already taken | ||||
|         store = self.hs.get_datastore() | ||||
|         user3 = UserID.from_string("@test_user_3:test") | ||||
|         self.get_success( | ||||
|             store.register_user(user_id=user3.to_string(), password_hash=None) | ||||
|         ) | ||||
|         userinfo = {"sub": "test3", "username": "test_user_3"} | ||||
|         e = self.get_failure( | ||||
|             self.handler._map_userinfo_to_user( | ||||
|                 userinfo, token, "user-agent", "10.10.10.10" | ||||
|             ), | ||||
|             MappingException, | ||||
|         ) | ||||
|         self.assertEqual(str(e.value), "mxid '@test_user_3:test' is already taken") | ||||
| 
 | ||||
|     @override_config({"oidc_config": {"allow_existing_users": True}}) | ||||
|     def test_map_userinfo_to_existing_user(self): | ||||
|         """Existing users can log in with OpenID Connect when allow_existing_users is True.""" | ||||
|         store = self.hs.get_datastore() | ||||
|         user4 = UserID.from_string("@test_user_4:test") | ||||
|         self.get_success( | ||||
|             store.register_user(user_id=user4.to_string(), password_hash=None) | ||||
|         ) | ||||
|         userinfo = { | ||||
|             "sub": "test4", | ||||
|             "username": "test_user_4", | ||||
|         } | ||||
|         token = {} | ||||
|         mxid = self.get_success( | ||||
|             self.handler._map_userinfo_to_user( | ||||
|                 userinfo, token, "user-agent", "10.10.10.10" | ||||
|             ) | ||||
|         ) | ||||
|         self.assertEqual(mxid, "@test_user_4:test") | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	 Tdxdxoz
						Tdxdxoz