Associate OIDC user with existing user #1589
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#1589
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Vikunja API version: 0.21.0
Expectation:
When I log in for the first time using OIDC with a user that has the same email address as an existing Vikunja user, I should be logged in as the latter. A new user should not be created.
Actual behaviour:
When logging in for the first time with OIDC, a new user is created with the same email address as my existing (pre-OIDC) user. The new user has a random username.
Relevant info:
I think the way it currently works is the correct way to do it. From Vikunja's perspective, the two users are different because they come from different sources. How should it behave if you want to log in using credentials after logging in through the oidc provider?
Do you know other applications doing it the way you described it?
Hmm, that's a good question, maybe my expectations are wrong.
I've seen some services - WikiJS is an example - work this way. If the unique identifier for the user (email, in WikiJS) matches the identifier provided by the OIDC provider, then both login paths authenticate as the same user. However, I'm just now realizing that that seems like a pretty major security flaw, since a bad actor could gain access to an account that's not theirs just by setting the right email address in the OIDC provider.
Another approach I've seen is one where the service offers to link an existing account to the new login (I think I saw this on Gitea, actually), but that could easily be a lot of work to implement and might not be worth the effort.
That's probably why very few services do this.
We might build that at some point, but not anytime soon.
I'll close this issue now as the original problem does not seem relevant now. Feel free to open a new one for merging accounts.