diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py index 0fc829acf77d..e7e0b5e049b3 100644 --- a/synapse/handlers/oidc.py +++ b/synapse/handlers/oidc.py @@ -1239,6 +1239,7 @@ async def grandfather_existing_users() -> Optional[str]: grandfather_existing_users, extra_attributes, auth_provider_session_id=sid, + registration_enabled=self._config.enable_registration, ) def _remote_id_from_userinfo(self, userinfo: UserInfo) -> str: diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py index 70be146bf61f..c28325323c44 100644 --- a/synapse/handlers/sso.py +++ b/synapse/handlers/sso.py @@ -224,8 +224,6 @@ def __init__(self, hs: "HomeServer"): self._consent_at_registration = hs.config.consent.user_consent_at_registration - self._registration_enabled = hs.config.odic.enable_registration - def register_identity_provider(self, p: SsoIdentityProvider) -> None: p_id = p.idp_id assert p_id not in self._identity_providers @@ -385,6 +383,7 @@ async def complete_sso_login_request( grandfather_existing_users: Callable[[], Awaitable[Optional[str]]], extra_login_attributes: Optional[JsonDict] = None, auth_provider_session_id: Optional[str] = None, + registration_enabled: bool = True, ) -> None: """ Given an SSO ID, retrieve the user ID for it and possibly register the user. @@ -437,6 +436,10 @@ async def complete_sso_login_request( auth_provider_session_id: An optional session ID from the IdP. + registration_enabled: An optional boolean to enable/disable automatic + registrations of new users. If false and the user does not exist then the + flow is aborted. Defaults to true. + Raises: MappingException if there was a problem mapping the response to a user. RedirectException: if the mapping provider needs to redirect the user @@ -464,7 +467,7 @@ async def complete_sso_login_request( auth_provider_id, remote_user_id, user_id ) - if not user_id and not self._registration_enabled: + if not user_id and not registration_enabled: logger.info( "User does not exist and registration are disabled for IdP '%s' and remote_user_id '%s'", auth_provider_id, diff --git a/tests/handlers/test_oidc.py b/tests/handlers/test_oidc.py index e2e4822ff74c..0a8bae54fbea 100644 --- a/tests/handlers/test_oidc.py +++ b/tests/handlers/test_oidc.py @@ -922,7 +922,7 @@ def test_extra_attributes(self) -> None: auth_provider_session_id=None, ) - @override_config({"oidc_config": DEFAULT_CONFIG, "enable_registration": True}) + @override_config({"oidc_config": {**DEFAULT_CONFIG, "enable_registration": True}}) def test_map_userinfo_to_user(self) -> None: """Ensure that mapping the userinfo returned from a provider to an MXID works properly.""" userinfo: dict = { @@ -975,7 +975,7 @@ def test_map_userinfo_to_user(self) -> None: "Mapping provider does not support de-duplicating Matrix IDs", ) - @override_config({"oidc_config": DEFAULT_CONFIG, "enable_registration": False}) + @override_config({"oidc_config": {**DEFAULT_CONFIG, "enable_registration": False}}) def test_map_userinfo_to_user_does_not_register_new_user(self) -> None: """Ensures new users are not registered if the enabled registration flag is disabled.""" userinfo: dict = {