vikunja
/
vikunja
6
43
Fork 71
Code Issues 150 Pull Requests 15 Packages Releases 32 Activity

Associate OIDC user with existing user #1589

New Issue
Closed
opened 2023-08-13 18:31:04 +00:00 by kgehmlich · 3 comments
kgehmlich commented 2023-08-13 18:31:04 +00:00
Copy Link

Vikunja API version: 0.21.0

Expectation:
When I log in for the first time using OIDC with a user that has the same email address as an existing Vikunja user, I should be logged in as the latter. A new user should not be created.

Actual behaviour:
When logging in for the first time with OIDC, a new user is created with the same email address as my existing (pre-OIDC) user. The new user has a random username.

Relevant info:

  • Identity provider is Keycloak
  • Keycloak user has same username and email address as existing Vikunja user
Vikunja API version: 0.21.0 Expectation: When I log in for the first time using OIDC with a user that has the same email address as an existing Vikunja user, I should be logged in as the latter. A new user should not be created. Actual behaviour: When logging in for the first time with OIDC, a new user is created with the same email address as my existing (pre-OIDC) user. The new user has a random username. Relevant info: * Identity provider is Keycloak * Keycloak user has same username and email address as existing Vikunja user
konrad commented 2023-08-22 16:55:09 +00:00
Owner
Copy Link

I think the way it currently works is the correct way to do it. From Vikunja's perspective, the two users are different because they come from different sources. How should it behave if you want to log in using credentials after logging in through the oidc provider?

Do you know other applications doing it the way you described it?

I think the way it currently works is the correct way to do it. From Vikunja's perspective, the two users are different because they come from different sources. How should it behave if you want to log in using credentials after logging in through the oidc provider? Do you know other applications doing it the way you described it?
kgehmlich commented 2023-08-22 20:03:30 +00:00
Author
Copy Link

Hmm, that's a good question, maybe my expectations are wrong.

I've seen some services - WikiJS is an example - work this way. If the unique identifier for the user (email, in WikiJS) matches the identifier provided by the OIDC provider, then both login paths authenticate as the same user. However, I'm just now realizing that that seems like a pretty major security flaw, since a bad actor could gain access to an account that's not theirs just by setting the right email address in the OIDC provider.

Another approach I've seen is one where the service offers to link an existing account to the new login (I think I saw this on Gitea, actually), but that could easily be a lot of work to implement and might not be worth the effort.

Hmm, that's a good question, maybe my expectations are wrong. I've seen some services - WikiJS is an example - work this way. If the unique identifier for the user (email, in WikiJS) matches the identifier provided by the OIDC provider, then both login paths authenticate as the same user. However, I'm just now realizing that that seems like a pretty major security flaw, since a bad actor could gain access to an account that's not theirs just by setting the right email address in the OIDC provider. Another approach I've seen is one where the service offers to link an existing account to the new login (I think I saw this on Gitea, actually), but that could easily be a lot of work to implement and might not be worth the effort.
konrad commented 2023-08-23 06:39:41 +00:00
Owner
Copy Link

However, I'm just now realizing that that seems like a pretty major security flaw, since a bad actor could gain access to an account that's not theirs just by setting the right email address in the OIDC provider.

That's probably why very few services do this.

Another approach I've seen is one where the service offers to link an existing account to the new login (I think I saw this on Gitea, actually), but that could easily be a lot of work to implement and might not be worth the effort.

We might build that at some point, but not anytime soon.

I'll close this issue now as the original problem does not seem relevant now. Feel free to open a new one for merging accounts.

> However, I'm just now realizing that that seems like a pretty major security flaw, since a bad actor could gain access to an account that's not theirs just by setting the right email address in the OIDC provider. That's probably why very few services do this. > Another approach I've seen is one where the service offers to link an existing account to the new login (I think I saw this on Gitea, actually), but that could easily be a lot of work to implement and might not be worth the effort. We might build that at some point, but not anytime soon. I'll close this issue now as the original problem does not seem relevant now. Feel free to open a new one for merging accounts.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/camel-case-5.x
renovate/go-1.x
renovate/lowlight-3.x
renovate/golang.org-x-sync-0.x
renovate/major-dev-dependencies
renovate/github.com-wneessen-go-mail-0.x
renovate/golangci-golangci-lint-1.x
feature/better-filter-syntax
fix/tiptap-task-list
renovate/flexsearch-0.x
feature/zod-schema
renovate/github.com-typesense-typesense-go-1.x
renovate/github.com-golang-jwt-jwt-v4-5.x
automatic-year-range-for-go-header-template
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
release/0.13
v0.23.0
v0.22.1
v0.22.0
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#1589
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?