allow importing existing users when the localpart matches in upstream OAuth 2.0 logins

Author: mcalinghee

crates/cli/src/sync.rs

@@ -292,6 +292,7 @@ pub async fn config_sync(
                         fetch_userinfo: provider.fetch_userinfo,
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
+                        allow_existing_users: provider.allow_existing_users,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/upstream_oauth2.rs

@@ -536,6 +536,13 @@ pub struct Provider {
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]
     pub claims_imports: ClaimsImports,
 
+    /// Whether to allow a user logging in via OIDC to match a pre-existing
+    /// account instead of failing. This could be used if switching from
+    /// password logins to OIDC.
+    //Defaults to false.
+    #[serde(default)]
+    pub allow_existing_users: bool,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.

crates/data-model/src/upstream_oauth2/provider.rs

@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
+    pub allow_existing_users: bool,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 

crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs

@@ -46,6 +46,7 @@ mod test_utils {
             token_endpoint_override: None,
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
+            allow_existing_users: true,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }

crates/handlers/src/upstream_oauth2/cache.rs

@@ -422,6 +422,7 @@ mod tests {
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
+            allow_existing_users: false,
             additional_authorization_parameters: Vec::new(),
         };
 

crates/handlers/src/upstream_oauth2/link.rs

@@ -465,7 +465,9 @@ pub(crate) async fn get(
                             .await
                             .map_err(RouteError::HomeserverConnection)?;
 
-                        if maybe_existing_user.is_some() || !is_available {
+                        if !provider.allow_existing_users
+                            && (maybe_existing_user.is_some() || !is_available)
+                        {
                             if let Some(existing_user) = maybe_existing_user {
                                 // The mapper returned a username which already exists, but isn't
                                 // linked to this upstream user.
@@ -742,15 +744,16 @@ pub(crate) async fn post(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Required,
                     );
-                } else if repo.user().exists(&username).await? {
+                } else if !provider.allow_existing_users && repo.user().exists(&username).await? {
                     form_state.add_error_on_field(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Exists,
                     );
-                } else if !homeserver
-                    .is_localpart_available(&username)
-                    .await
-                    .map_err(RouteError::HomeserverConnection)?
+                } else if !provider.allow_existing_users
+                    && !homeserver
+                        .is_localpart_available(&username)
+                        .await
+                        .map_err(RouteError::HomeserverConnection)?
                 {
                     // The user already exists on the homeserver
                     tracing::warn!(
@@ -830,10 +833,22 @@ pub(crate) async fn post(
                     .into_response());
             }
 
-            REGISTRATION_COUNTER.add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
-
-            // Now we can create the user
-            let user = repo.user().add(&mut rng, &clock, username).await?;
+            let user = if provider.allow_existing_users {
+                // If the provider allows existing users, we can use the existing user
+                let existing_user = repo.user().find_by_username(&username).await?;
+                if existing_user.is_some() {
+                    existing_user.unwrap()
+                } else {
+                    REGISTRATION_COUNTER
+                        .add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
+                    // This case should not happen
+                    repo.user().add(&mut rng, &clock, username).await?
+                }
+            } else {
+                REGISTRATION_COUNTER.add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
+                // Now we can create the user
+                repo.user().add(&mut rng, &clock, username).await?
+            };
 
             if let Some(terms_url) = &site_config.tos_uri {
                 repo.user_terms()
@@ -975,6 +990,7 @@ mod tests {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },

crates/handlers/src/views/login.rs

@@ -494,6 +494,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -535,6 +536,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },