search

haiwen / seafile

High performance file syncing and sharing, with also Markdown WYSIWYG editing, Wiki, file label and other knowledge management features.
http://seafile.com/
Other
11.85k stars 1.51k forks source link

Multiple accounts with the same mail via SSO prevent login (MultipleObjectsReturned at /accounts/login/) #2788

Open vbartels opened 2 weeks ago

vbartels commented 2 weeks ago

I Migrated to V11 My domain changed, so I created new users and moved all their libraries. All users are V11 style (with @auth.lcoal ID and contact mail) already. I configured SSO against zitadel with this config:

ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID         = "111111111111111111@project"
OAUTH_CLIENT_SECRET     = "The Secret came from the Action button in Zitadel -> regenerate"
OAUTH_REDIRECT_URL      = 'https://seafile.domain.tld/oauth/callback/'
OAUTH_PROVIDER_DOMAIN   = 'seafile.domain.tld'
OAUTH_PROVIDER          = 'seafile.domain.tld'
OAUTH_AUTHORIZATION_URL = 'https://sso1.domain.tld/oauth/v2/authorize'
OAUTH_TOKEN_URL         = 'https://sso1.domain.tld/oauth/v2/token'
OAUTH_USER_INFO_URL     = 'https://sso1.domain.tld/oidc/v1/userinfo'
OAUTH_SCOPE             = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "sub": (True, "uid"),
    "name": (True, "name"),
    "email": (True, "contact_email")
}

Wich works, but instead of logging in to the existing users, it creates a new one. The problem is, it doesnt check if there is already a user with this contact mail. This seems to be a bug, since login with a user wich was existent before and a login via SSO is then no more possible and throws this error due to two accounts having the same contact mail:

MultipleObjectsReturned at /accounts/login/
get() returned more than one Profile -- it returned 2!

Exception Location: | /var/www/seafile-server-11.0.9/seahub/thirdpart/django/db/models/query.py, line 640, in get
'/var/www/seafile-server-11.0.9/seahub',
 '/var/www/seafile-server-latest',
 '/var/www/seafile-server-11.0.9/seahub/thirdpart/bin',
 '/var/www/seafile-server-11.0.9/seafile/lib/python3/site-packages',
 '/var/www/seafile-server-11.0.9/seafile/lib64/python3/site-packages',
 '/var/www/seafile-server-11.0.9/seahub',
 '/var/www/seafile-server-11.0.9/seahub/thirdpart',
 '/var/www/seafile-server-11.0.9',
 '/var/www/seafile-server-11.0.9/pro/python',
 '/usr/lib/python311.zip',
 '/usr/lib/python3.11',
 '/usr/lib/python3.11/lib-dynload',
 '/usr/local/lib/python3.11/dist-packages',
 '/usr/local/lib/python3.11/dist-packages/SQLAlchemy-2.1.0b1.dev0-py3.11.egg',
 '/usr/local/lib/python3.11/dist-packages/typing_extensions-4.12.1-py3.11.egg',
 '/usr/lib/python3/dist-packages',
 '/usr/lib/python3.11/dist-packages',
 '/var/www/seafile-server-11.0.9/seahub/seahub/auth/../../../../conf',
 '/var/www/seafile-server-11.0.9/seahub/seahub/api2/endpoints/../../../../../conf',
 '/var/www/seafile-server-11.0.9/seahub/seahub/api2/endpoints/../../../../../conf',
 '/var/www/seafile-server-11.0.9/seahub/seahub/oauth/../../../../conf'
freeplant commented 1 week ago

The best to solve the problem is manually adding mapping entry in social_auth_usersocialauth to map SSO users to existing users.