allow account linking for existing users when the localpart matches in upstream OAuth 2.0 logins #4193
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mcalinghee
force-pushed
the
feat/allow_override_user
branch
6 times, most recently
from
9d35eeb to
d50b6c0
Compare
mcalinghee
changed the title
mcalinghee
force-pushed
the
feat/allow_override_user
branch
from
d50b6c0 to
405abce
Compare
mcalinghee
force-pushed
the
feat/allow_override_user
branch
from
405abce to
11f17cc
Compare
mcalinghee
force-pushed
the
feat/allow_override_user
branch
3 times, most recently
from
8f7d65b to
0307f3c
Compare
mcalinghee
force-pushed
the
feat/allow_override_user
branch
from
0307f3c to
63f811a
Compare
mcalinghee
force-pushed
the
feat/allow_override_user
branch
2 times, most recently
from
fa428d9 to
3d64262
Compare
mcalinghee
changed the title
mcalinghee
force-pushed
the
feat/allow_override_user
branch
from
3d64262 to
f5a3404
Compare
odelcroi
force-pushed
the
feat/allow_override_user
branch
2 times, most recently
from
e2b0077 to
4405e08
Compare
odelcroi
reviewed
May 14, 2025
Wrong configuration of providerWhen activating the option
|
This comment was marked as resolved.
This comment was marked as resolved.
mcalinghee
commented
May 15, 2025
odelcroi
approved these changes
May 19, 2025
mcalinghee
force-pushed
the
feat/allow_override_user
branch
5 times, most recently
from
37f772c to
22b3d5d
Compare
odelcroi
force-pushed
the
feat/allow_override_user
branch
from
22b3d5d to
39716c9
Compare
odelcroi
force-pushed
the
feat/allow_override_user
branch
2 times, most recently
from
93a61bd to
3d4d1a6
Compare
sandhose
reviewed
Jul 8, 2025
Comment on lines
+503
to
+512
| // new oauth link is allowed | ||
| let ctx = UpstreamExistingLinkContext::new(existing_user) | ||
| .with_csrf(csrf_token.form_value()) | ||
| .with_language(locale); | ||
|
|
||
| return Ok(( | ||
| cookie_jar, | ||
| Html(templates.render_upstream_oauth2_login_link(&ctx)?) | ||
| .into_response(), | ||
| )); |
There was a problem hiding this comment.
I'm now wondering if it makes sense to show this intermediate page or not? For the 'active session' linking I think it does, as it's user-initiated and we don't want it to happen automatically, whereas here the intent really is for HS admins to transition from local passwords to upstream IDPs, the users should not care about this.
I'm fine with leaving it like that for now, and I'll clean that up later, as we also would like to make import dialog to be optional in some cases
odelcroi
force-pushed
the
feat/allow_override_user
branch
4 times, most recently
from
e910c49 to
00d8171
Compare
odelcroi
approved these changes
Jul 17, 2025
… OAuth 2.0 logins
Co-authored-by: Quentin Gliech <quenting@element.io>
Co-authored-by: Quentin Gliech <quenting@element.io>
Co-authored-by: Quentin Gliech <quenting@element.io>
odelcroi
force-pushed
the
feat/allow_override_user
branch
from
b877b9c to
ea8c8d2
Compare
|
@sandhose I'm done with the required modifications, I think we can consider updating the user flow by skipping the screen in a second step. If good with you, we can merge :) |
sandhose
approved these changes
Jul 18, 2025
Comment on lines
+1373
to
+1386
| #[allow(clippy::disallowed_methods)] | ||
| let timestamp = chrono::Utc::now().timestamp_millis(); | ||
|
|
||
| //suffix timestamp to generate unique test data | ||
| let existing_username = format!("{}{}", "john", timestamp); | ||
| let existing_email = format!("{}@{}", existing_username, "example.com"); | ||
|
|
||
| //existing username matches oidc username | ||
| let oidc_username = existing_username.clone(); | ||
|
|
||
| //oidc email is different from existing email | ||
| let oidc_email: String = format!("{}{}@{}", "any_email", timestamp, "example.com"); | ||
|
|
||
| let subject = format!("{}+{}", "subject", timestamp); |
There was a problem hiding this comment.
The databases are isolated between each test, no need to add timestamps there!
Comment on lines
+656
to
+659
| // User already exists, but it is not linked, neither logged in | ||
| // Proceed by associating the link and log in the user | ||
| // Upstream_session is used to re-render the username as it is the only source | ||
| // of truth |
There was a problem hiding this comment.
Just a little reflow and rewording of this comment
Suggested change
| // User already exists, but it is not linked, neither logged in | |
| // Proceed by associating the link and log in the user | |
| // Upstream_session is used to re-render the username as it is the only source | |
| // of truth | |
| // There is an existing user with the same username, but no link. | |
| // If the configuration allows it, the user is prompted to link the | |
| // existing account. Note that we cannot trust the user input here, | |
| // which is why we have to re-calculate the localpart, instead of | |
| // passing it through form data. |
Comment on lines
+696
to
+698
| let localpart = render_attribute_template(&env, template, &context, true)?; | ||
|
|
||
| let maybe_user = repo.user().find_by_username(&localpart.unwrap()).await?; |
There was a problem hiding this comment.
Better error out than crash (even if we recover from panics!)
Suggested change
| let localpart = render_attribute_template(&env, template, &context, true)?; | |
| let maybe_user = repo.user().find_by_username(&localpart.unwrap()).await?; | |
| let Some(localpart) = render_attribute_template(&env, template, &context, true)? else { | |
| // This should never be the case at this point | |
| return Err(RouteError::InvalidFormAction); | |
| }; | |
| let maybe_user = repo.user().find_by_username(&localpart).await?; |
| &state.clock, | ||
| &mut repo, | ||
| existing_username.clone(), | ||
| existing_email.clone(), |
There was a problem hiding this comment.
Why does this test need an email? I don't think the create_user utility is very helpful here
Comment on lines
+426
to
+432
|
|
||
| impl OnConflict { | ||
| #[must_use] | ||
| pub fn is_add(&self) -> bool { | ||
| matches!(self, Self::Add) | ||
| } | ||
| } |
There was a problem hiding this comment.
I don't see it used?
Suggested change
| impl OnConflict { | |
| #[must_use] | |
| pub fn is_add(&self) -> bool { | |
| matches!(self, Self::Add) | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes Point 1 and 4 in #2089
Introducing new configuration
on_conflictin sectionclaims_imports.localpartto set the account linking strategyfail(default value): do nothing, and fail the registration/login (corresponds to allow_existing_users: false in Synapse)add: import the link without overriding existing links for this user (corresponds to allow_existing_users: true in Synapse)replace: import the link and replace any existing link for this user => not implemented in this PRset: import the link if and only if there is no existing link for this user => not implemented in this PRconfirmation page when configuration is
on_conflict: add: