Duplicate users after changing oidc provider #1596

New Issue

Closed

opened 2023-08-25 23:55:31 +00:00 by TaoChen · 5 comments

TaoChen commented 2023-08-25 23:55:31 +00:00

Copy Link

Description

I changed my Idp(OIDC), I use my account to login and I find I have a new accout although this two have the same username and email.

 id |   name   |       username        | password |        email        | status | avatar_provider | avatar_file_id |               issuer                |               subject     
           | email_reminders_enabled | discoverable_by_name | discoverable_by_email | overdue_tasks_reminders_enabled | overdue_tasks_reminders_time | default_project_id | week_start
 | language |   timezone    | deletion_scheduled_at | deletion_last_reminder_sent | export_file_id |       created       |       updated       | frontend_settings 
----+----------+-----------------------+----------+---------------------+--------+-----------------+----------------+-------------------------------------+---------------------------
-----------+-------------------------+----------------------+-----------------------+---------------------------------+------------------------------+--------------------+-----------
-+----------+---------------+-----------------------+-----------------------------+----------------+---------------------+---------------------+-------------------
  1 | xxxx | xxxx               |          | xxxx |      0 | upload          |              1 | https://auth.xxxx.com/cas/oidc   | chentao                   
           | t                       | t                    | t                     | t                               | 9:00                         |                  0 |          1
 | en       | Europe/Zurich |                       |                             |              0 | 2023-05-14 09:37:56 | 2023-05-15 00:13:16 | 
 10 | xxxx | jointly-joint-octopus |          | xxxx|      0 | initials        |              0 | https://auth.xxxxx/realms/eqe | 4b001fd9-52e5-4458-b2b1-9f
45e137a452 | t                       | t                    | t                     | t                               | 9:00                         |                 24 |          1
 | en       | Europe/Zurich |                       |                             |              0 | 2023-08-25 23:43:37 | 2023-08-25 23:43:38 | null
(2 rows)

Vikunja Frontend Version

0.21

Vikunja API Version

0.21

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

No response

### Description I changed my Idp(OIDC), I use my account to login and I find I have a new accout although this two have the same username and email. ```sql id | name | username | password | email | status | avatar_provider | avatar_file_id | issuer | subject | email_reminders_enabled | discoverable_by_name | discoverable_by_email | overdue_tasks_reminders_enabled | overdue_tasks_reminders_time | default_project_id | week_start | language | timezone | deletion_scheduled_at | deletion_last_reminder_sent | export_file_id | created | updated | frontend_settings ----+----------+-----------------------+----------+---------------------+--------+-----------------+----------------+-------------------------------------+--------------------------- -----------+-------------------------+----------------------+-----------------------+---------------------------------+------------------------------+--------------------+----------- -+----------+---------------+-----------------------+-----------------------------+----------------+---------------------+---------------------+------------------- 1 | xxxx | xxxx | | xxxx | 0 | upload | 1 | https://auth.xxxx.com/cas/oidc | chentao | t | t | t | t | 9:00 | 0 | 1 | en | Europe/Zurich | | | 0 | 2023-05-14 09:37:56 | 2023-05-15 00:13:16 | 10 | xxxx | jointly-joint-octopus | | xxxx| 0 | initials | 0 | https://auth.xxxxx/realms/eqe | 4b001fd9-52e5-4458-b2b1-9f 45e137a452 | t | t | t | t | 9:00 | 24 | 1 | en | Europe/Zurich | | | 0 | 2023-08-25 23:43:37 | 2023-08-25 23:43:38 | null (2 rows) ``` ### Vikunja Frontend Version 0.21 ### Vikunja API Version 0.21 ### Browser and version _No response_ ### Can you reproduce the bug on the Vikunja demo site? Yes ### Screenshots _No response_

TaoChen added the

kind/bug

label 2023-08-25 23:55:31 +00:00

konrad changed title from Duplicate users to Duplicate users after changing oidc provider 2023-08-26 09:08:39 +00:00

konrad commented 2023-08-26 09:13:13 +00:00

Owner

Copy Link

This is expected behavior. To Vikunja, an account from oidc is unique within a an (email/username, issuer) tuple where email / username are something unique the provider can come up with. Vikunja cannot know if your oidc provider changed it's issuer URL or you've used another provider. And it shouldn't, because otherwise you could hijack an account with the same email address from another provider.

Similar to vikunja/api#1589

This is expected behavior. To Vikunja, an account from oidc is unique within a an (email/username, issuer) tuple where email / username are something unique the provider can come up with. Vikunja cannot know if your oidc provider changed it's issuer URL or you've used another provider. And it shouldn't, because otherwise you could hijack an account with the same email address from another provider. Similar to https://kolaente.dev/vikunja/api/issues/1589

konrad closed this issue 2023-08-26 09:13:13 +00:00

TaoChen commented 2023-08-26 16:04:48 +00:00

Author

Copy Link

But I think we should have a way to combine them(users).

And it shouldn't, because otherwise you could hijack an account with the same email address from another provider.

• And I manage my own IDP, this won't be a problem.

But I think we should have a way to combine them(users). _And it shouldn't, because otherwise you could hijack an account with the same email address from another provider._ - **And I manage my own IDP, this won't be a problem.**

konrad commented 2023-08-27 14:42:26 +00:00

Owner

Copy Link

We might add a way to merge accounts from different providers in the future.

And I manage my own IDP, this won't be a problem.

You might, but not everyone does.

We might add a way to merge accounts from different providers in the future. > And I manage my own IDP, this won't be a problem. You might, but not everyone does.

TaoChen commented 2023-08-27 14:44:52 +00:00

Author

Copy Link

Is there anyway I can merge them by modify database? I try to modify issuer but it doesn't work.

Is there anyway I can merge them by modify database? I try to modify issuer but it doesn't work.

konrad commented 2023-08-27 15:08:25 +00:00

Owner

Copy Link

It should work if you remove the new user (id 10) and change the issuer, email address and username of the first (id 1) to that of the one you deleted

It should work if you remove the new user (id 10) and change the issuer, email address and username of the first (id 1) to that of the one you deleted

konrad referenced this issue from a commit 2024-02-07 14:00:32 +00:00

chore(deps): update dependency vitest to v0.5.1 (#1596)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/camel-case-5.x

renovate/go-1.x

renovate/lowlight-3.x

renovate/golang.org-x-sync-0.x

renovate/major-dev-dependencies

renovate/github.com-wneessen-go-mail-0.x

renovate/golangci-golangci-lint-1.x

feature/better-filter-syntax

fix/tiptap-task-list

renovate/flexsearch-0.x

feature/zod-schema

renovate/github.com-typesense-typesense-go-1.x

renovate/github.com-golang-jwt-jwt-v4-5.x

automatic-year-range-for-go-header-template

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

release/0.13

v0.23.0

v0.22.1

v0.22.0

v0.21.0

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels   

dependencies

  

duplicate

This issue or pull request already exists

  

help wanted

Need some help

  

invalid

Something is wrong

  

kind/bug

Something is not working

  

kind/feature

New feature

  

needs reproduction

  

question

More information is needed

  

security

  

wontfix

This won't be fixed

No Label

dependencies

duplicate

help wanted

invalid

kind/bug

kind/feature

needs reproduction

question

security

wontfix

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#1596

No description provided.