Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛂(backend) match email if no existing user matches the sub #303

Merged
merged 1 commit into from
Oct 4, 2024
Merged

🛂(backend) match email if no existing user matches the sub #303

merged 1 commit into from
Oct 4, 2024
+105 −41

Conversation

sampaccoud
Copy link
Contributor

Purpose

Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.

Proposal

  • Add a setting OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION which defaults to True
  • When logging-in, if the sub does not match any existing user, try matching on the email field before creating a new user for the unknown sub.

@sampaccoud sampaccoud requested a review from AntoLC October 3, 2024 22:04
@sampaccoud sampaccoud self-assigned this Oct 3, 2024
@sampaccoud sampaccoud added enhancement New feature or request python Pull requests that update Python code backend labels Oct 3, 2024
@qbey
Copy link
Collaborator

qbey commented Oct 4, 2024

If the sub is random, how random is it? Is there not a risk of getting another user trying to use it?
Is there a way to know from the user info, the sub is random (so we can just ignore it and use the email instead)?

@sampaccoud sampaccoud force-pushed the avoid-duplicate-users-when-sub-varies branch from 3788c64 to 961b166 Compare October 4, 2024 08:37
@sampaccoud sampaccoud requested a review from qbey October 4, 2024 08:48
@mjeammet mjeammet mentioned this pull request Oct 4, 2024
Draft
@sampaccoud sampaccoud force-pushed the avoid-duplicate-users-when-sub-varies branch from 961b166 to 1548fcc Compare October 4, 2024 19:42
@sampaccoud
🛂(backend) match email if no existing user matches the sub
ab7c560 
Some OIDC identity providers may provide a random value in the "sub"
field instead of an identifying ID. In this case, it may be a good
idea to fallback to matching the user on its email field.
@sampaccoud sampaccoud force-pushed the avoid-duplicate-users-when-sub-varies branch from 1548fcc to ab7c560 Compare October 4, 2024 19:49
@sampaccoud sampaccoud changed the title 🛂(frontend) match email if no existing user matches the sub 🛂(backend) match email if no existing user matches the sub Oct 4, 2024
@sampaccoud sampaccoud enabled auto-merge (rebase) October 4, 2024 19:52
@sampaccoud sampaccoud merged commit ff7914f into main Oct 4, 2024
16 of 17 checks passed
@sampaccoud sampaccoud deleted the avoid-duplicate-users-when-sub-varies branch October 4, 2024 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qbey qbey qbey approved these changes

@AntoLC AntoLC Awaiting requested review from AntoLC

Assignees

@sampaccoud sampaccoud

Labels
backend enhancement New feature or request python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sampaccoud @qbey