A Berkeley user may have both a base @berkeley.edu email address and a departmental email address.
Consider a pre-existing portal user who:
Has a base @berkeley.edu email address associated with their portal account,
Has since added a departmental email address to their Berkeley account (not portal account), and
Has never logged in via CILogon (so does not have an existing SocialAccount object).
When the user logs in via CalNet, CILogon provides the departmental address as the email. The system fails to look up a user with a matching EmailAddress, so it creates a new portal account, rather than connecting the user to their existing portal account.
This pull request uses the fact that CILogon also provides an eppn field containing the base email address for Berkeley users. It uses this field as another means to connect users to existing portal accounts, handling the case above.
Changes
Introduced a secondary way of identifying users: the eppn field given by CILogon.
If and only if the field matches an existing, verified EmailAddress, then connect to the associated user.
If a different user is identified from the email addresses given by the provider, raise an error.
Refactored authentication logic across methods.
Modified the inherited method for populating a User object from SSO-provided information to largely call parent class logic.
Modified the signal for creating EmailAddress objects upon successful authentication to create them whenever a SocialAccount is created or updated (to cover the case where SocialLogin.connect is manually called).
Added tests for CILogon authentication cases.
How to Test
Ensure that the test suite passes on GitHub Actions.
Notes
The eppn field appears to give the base email address for UC Berkeley users. However, eppn cannot be assumed to be an email address generally, so EmailAddress objects are not created for them.
Note that this does not cover the case when a user has an existing portal account under a departmental email address, but then loses that address such that CalNet provides the base address during authentication.
Users who satisfy the above but who have also never logged in to the portal (and would therefore have a SocailAccount that could be identified) are expected to be rare.
Refs #544
Context
@berkeley.eduemail address and a departmental email address.@berkeley.eduemail address associated with their portal account,SocialAccountobject).EmailAddress, so it creates a new portal account, rather than connecting the user to their existing portal account.eppnfield containing the base email address for Berkeley users. It uses this field as another means to connect users to existing portal accounts, handling the case above.Changes
eppnfield given by CILogon.EmailAddress, then connect to the associated user.Userobject from SSO-provided information to largely call parent class logic.EmailAddressobjects upon successful authentication to create them whenever aSocialAccountis created or updated (to cover the case whereSocialLogin.connectis manually called).How to Test
Notes
eppnfield appears to give the base email address for UC Berkeley users. However,eppncannot be assumed to be an email address generally, soEmailAddressobjects are not created for them.SocailAccountthat could be identified) are expected to be rare.