New OIDC user registrations do not bind email addresses when user consent is required at registration time. - Githubissues

element-hq / synapse

Synapse: Matrix homeserver written in Python/Twisted.

https://element-hq.github.io/synapse

GNU Affero General Public License v3.0

1.25k stars 152 forks source link

New OIDC user registrations do not bind email addresses when user consent is required at registration time. #16317

Open matrixbot opened 8 months ago

matrixbot commented 8 months ago

This issue has been migrated from #16317.

This is a bit of an edge case, so please bear with. The parameters are:

You have enabled consent.user_consent_at_registration in your config.
You have OIDC auth enabled. You allow users to register via OIDC.
You have set localpart_template, displayname_template and email_template in the OIDC config so that users can automatically map their emails.

When this is set, the mapped email is always ignored on registration. Specifically you'll get a log line like:

2023-09-12 23:08:50,238 - synapse.handlers.sso - 1074 - INFO - GET-219194- [session vsrKfTioDugwCcQw] Registered userid @foo:example.com with attributes UserAttributes(localpart='foo', confirm_localpart=False, display_name='Mr Foo', picture=None, emails=())

The OIDC code is quite hard to follow, but I have done my best to understand it. The flow I believe is as follows:

/_synapse/client/oidc/callback

The user logs in, and does the OIDC authentication part. They are sent to /_synapse/client/oidc/callback.
Synapse sees this, works out that the user doesn't exist yet (here).
Because user_consent_at_registration is true, the user is directed to /_synapse/client/new_user_consent in _get_url_for_next_new_user_step.
_redirect_to_next_new_user_step will store the mapped emails in the session object.

/_synapse/client/new_user_consent

The user is asked to consent, and does so.
Nothing terribly exciting happens to the session state but eventually a new url is generated via _get_url_for_next_new_user_step. Because the current stage passes in a session object, we are sent to /_synapse/client/sso_register.

/_synapse/client/sso_register

This calls register_sso_user, which looks at session.emails_to_use, rather than session.emails that was set in /_synapse/client/oidc/callback. emails_to_use is expected to be set during /_synapse/client/pick_username but because we define a localpart template already, we are never sent to this page.
The user is created with no bound emails because emails_to_use is not set.

Proposal

We should probably fall back to session.emails when session.emails_to_use has not been defined.

thebalaa commented 2 months ago

I am seeing this behavior even without consent being enabled. Using keyloak oidc provider.