New system config flag to disable user creation in soft auto provisioning #954
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
come-nc
reviewed
Sep 30, 2024
lib/Service/ProvisioningService.php
Outdated
| @@ -149,6 +109,17 @@ public function provisionUser(string $tokenUserId, int $providerId, object $idTo | |||
| if ($existingLocalUser !== null) { | |||
| $user = $existingLocalUser; | |||
| } else { | |||
| // if disable_account_creation is true, user_oidc should not manage user | |||
| // - no user creation | |||
| // - do not use the existing users managed by the user_oidc backend | |||
There was a problem hiding this comment.
Hum but what if user_oidc created some users and then I enable the new option, these users disappear? Or at least cannot login anymore?
There was a problem hiding this comment.
They can't login... I took the easy way. I can change that behaviour. Do you think it makes more sense to let them in?
There was a problem hiding this comment.
Oh no I just had another read of the code. It's fine. If some users were created by user_oidc before disable_account_creation was switched on, they can still connect after. The comment was wrong and is now fixed.
julien-nc
force-pushed
the
enh/noid/disable-user-creation-soft-auto-pro
branch
from
131c502
to
f77068a
Compare
come-nc
approved these changes
Oct 3, 2024
julien-nc
force-pushed
the
enh/noid/disable-user-creation-soft-auto-pro
branch
from
f81e27c
to
40317da
Compare
…n soft auto provisioning Signed-off-by: Julien Veyssier <[email protected]>
Signed-off-by: Julien Veyssier <[email protected]>
Signed-off-by: Julien Veyssier <[email protected]>
julien-nc
force-pushed
the
enh/noid/disable-user-creation-soft-auto-pro
branch
from
40317da
to
a7eb94f
Compare
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are missing a use case in soft auto provisioning. Some people might want to only accept Oidc logins from users that already exist in other backends (like when auto provisioning is disabled) but still want user_oidc to set the mapped attributes to the user (like when soft auto provisioning is enabled and the user already exists in another backend).
There were 2 ways to do that:
force_attribute_provisioning)We chose 2. with @come-nc thinking it's slightly easier to grasp when configuring user_oidc.