Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Allow OIDC for existing users #8180

Closed
wants to merge 10 commits into from
Closed

Allow OIDC for existing users #8180

wants to merge 10 commits into from

Conversation

OmmyZhang
Copy link
Contributor

Allows merging oidc with existing users and allows always using userinfo endpoint.
a patch by @BBBSnowball

fix #7633 and #8155

@clokep
Copy link
Member

clokep commented Aug 26, 2020

@OmmyZhang Can you merge develop in again? We had a broken test that got fixed an hour or so ago. Sorry about that! 👍

@clokep
Copy link
Member

clokep commented Aug 26, 2020

This replaces #8178 (just to cross-link).

@clokep clokep requested a review from a team September 4, 2020 11:30
@richvdh richvdh changed the title Feature allows merging oidc with existing users Allow OIDC for existing users Sep 4, 2020
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please could you separate this into two PRs: one for the gitlab fix, and the other for the existing users?

@clokep clokep added the X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged label Sep 4, 2020
@OmmyZhang
Copy link
Contributor Author

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

@clokep
Copy link
Member

clokep commented Sep 9, 2020

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

I think the changes for GitLab are already up as #7658.

@OmmyZhang
Copy link
Contributor Author

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

I think the changes for GitLab are already up as #7658.

Great. Now things are easier.

@OmmyZhang OmmyZhang requested a review from richvdh September 10, 2020 08:29
@richvdh richvdh removed the X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged label Sep 10, 2020
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for this! A few comments.

raise MappingException(
"mxid '{}' is already taken".format(user_id.to_string())
if self._merge_with_existing_users:
registered_user_id = user_id.to_string()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not a given that the registered user id is the same as the id we looked up (note: "_case_insensitive".) get_users_by_id_case_insensitive returns a dict of potiental matches. please use it.

Comment on lines 910 to 912
if self._merge_with_existing_users:
registered_user_id = user_id.to_string()
else:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the docstring on this method says:

    If a user already exists with the mxid we've mapped, raise an exception.

Please update it.

@@ -0,0 +1 @@
This adds config option that allows merging OpenID Connect users with existing users.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This adds config option that allows merging OpenID Connect users with existing users.
Add a configuration option that allows existing users to log in with OpenID Connect. Contributed by @BBBSnowball and @OmmyZhang.

@@ -158,6 +161,10 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
#
#skip_verification: true

# if user already exists, add oidc token to that account instead of failing. Defaults to false.
#
#merge_with_existing_users: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't seem a great name for this option. How about allow_existing_users ?

Comment on lines 164 to 166
# if user already exists, add oidc token to that account instead of failing. Defaults to false.
#
#merge_with_existing_users: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format says:

For boolean (on/off) options, convention is that this example should be the opposite to the default (so the comment will end with "Uncomment the following to enable [or disable] ."

please could you follow the conventions.

@richvdh richvdh added the X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged label Sep 10, 2020
@OmmyZhang
Copy link
Contributor Author

@richvdh thanks for your suggestions. Now it's updated.

@clokep clokep requested a review from a team September 14, 2020 11:28
Copy link
Member

@clokep clokep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is close! Just a couple more details to work out!

Comment on lines +915 to +916
if self._allow_existing_users:
registered_user_id = next(iter(matches))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can matches have multiple items? Should we still error in that case? It feels arbitrary to choose the first one. At the very least I think we should log something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there can't be more than one item as the same (case insensitive) usernames are not allowed. This is also why we need get_users_by_id_case_insensitive.

users = await self.store.get_users_by_id_case_insensitive(user_id)
if users:
if not guest_access_token:
raise SynapseError(
400, "User ID already taken.", errcode=Codes.USER_IN_USE
)

Maybe we should log something if there're more than one, to show that something goes wrong? But it's a little strange. If we do, we should also do this in many other places.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I find auth considers more. But I still can't understand why there can be multiple matches. Maybe for backward compatibility?

elif user_id in user_infos:
# multiple matches, but one is exact
result = (user_id, user_infos[user_id])
else:
# multiple matches, none of them exact
logger.warning(

Comment on lines +853 to +854
If a user already exists with the mxid we've mapped and allow_existing_users
is disabled , raise an exception.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If a user already exists with the mxid we've mapped and allow_existing_users
is disabled , raise an exception.
If a user already exists with the mxid we've mapped and allow_existing_users
is disabled, raise an exception.

@@ -158,6 +159,10 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
#
#skip_verification: true

# Uncomment to add oidc token to the account instead of failing when user already exists. Defaults to false.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this comment is very descriptive -- what's the token that's being added? Why would I turn this on?

Suggested change
# Uncomment to add oidc token to the account instead of failing when user already exists. Defaults to false.
# Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
# of failing. This could be used if switching from password logins to OIDC. Defaults to false.

@OmmyZhang
Copy link
Contributor Author

Sorry I have to create a new PR as I realized that this branch can't be auto-updated after I delete my repository and re-fork from matrix-org/synapse.

#8345 will replace this one.

@OmmyZhang OmmyZhang closed this Sep 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Use OpenID Connect users with existing accounts
4 participants