How to handle OIDC login of a user who already exists as a DB one?

nextcloud / user_oidc

OIDC connect user backend for Nextcloud

GNU Affero General Public License v3.0

89 stars 36 forks source link

How to handle OIDC login of a user who already exists as a DB one? #660

Open julien-nc opened 1 year ago

julien-nc commented 1 year ago

If a user exists as a DB one and then authenticates with user_oidc, the row in oc_users is still there. The user is then handled by 2 backends. So if the user_oidc user is deleted, the DB one still exists and can log in.

How could we improve this?

One solution would be to let admins set a provider-specific setting flag to choose what happens when user_oidc finds a database user with the same id on OIDC login:

delete the database user and proceed. still one question there, should we:
- really delete it (storage, data etc...)?
- just make sure it's not a database user anymore but keep the storage+data?
deny the authentication

@juliushaertl

juliusknorr commented 1 year ago

LDAP creates a unique user id with adding a suffix to the user id
SAML seems to just ignore it (but needs some more checking)
A user can only hold one backend on the server side (when deleting, so just deleting from multiple backends at once is not an option)
Automatically deleting the db user might be unexpected and could not work if there is a conflict with another user backend
Most sane way is probably to just deny authorization then, question is if this could be an issue for existing installations
- should only be if autoprovision is enabled

joergmschulz commented 1 year ago

I don't think there is an way around this issue - in contrast to the LDAP user provisioning, the OIDC provisioning does not list and create all available users. It only creates users not existing when the user logs in. Nextcloud has no way of telling whether or not an existing user still exists within the OIDC provider. You can circumvent this issue if you enable LDAP as user provisioning for nextcloud and use the same LDAP source for your OIDC provider. Then nextcloud has a way of telling a user is obsolete and you can remove everything using: (caveat, this removes user&data):

for i in $(php occ ldap:show-remnants | grep \\. | awk -F \| '{print $2 }' ); do
    echo "Delete user: $i"
    php occ user:delete $i
done