Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] Prevent user creation for custom OAuth when registration is disabled and LDAP is enabled #22564

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[FIX] Prevent user creation for custom OAuth when registration is disabled and LDAP is enabled #22564

wants to merge 1 commit into from
+11 −2

Conversation

LouisSung
Copy link

@LouisSung LouisSung commented Jul 4, 2021
edited
Loading

When the Accounts_Registration_AuthenticationServices_Enabled is set as false, the user should not be created via custom OAuth service.

Proposed changes (including videos or screenshots)

Issue(s)

Resolve #15787, resolves #20671

Steps to test or reproduce

When Accounts_Registration_AuthenticationServices_Enabled is set as false, the user try to sign in with custom OAuth service will be blocked with log Exception while invoking method login Error: User registration is disabled for authentication services [registration-disabled-authentication-services], which is as excepted

However, when the LDAP_Enable is set as true, the rule breaks because the validation checks if both of the two configs are false, see: 3.16.1/app/authentication/server/startup/index.js#L366

This is UNEXPECTED as you could think of those who need the custom OAuth service may often have their LDAP enabled for such an on-premise server.
In our case, we pre-sync part of the users to our server with LDAP but do NOT want all of the users that can pass the OAuth service to register a new account automatically.

Further comments

By further checking the settings.get(/^Accounts_OAuth_Custom-[a-z0-9_]+$/i).length > 0, we are able to prevent user from create their account automatically.

  1. The /^Accounts_OAuth_Custom-[a-z0-9_]+$/i refers to oAuthServicesUpdate.js#L19
  2. The serviceName.replace(/^Accounts_OAuth_Custom-/, '').toLowerCase() refers to addOAuthService.js#L8, which limits the name of custom OAuth service as lowercase (i.e., [a-z0-9_]+)

Dev Environment

Rocket.Chat@3.15.0 + Keycloak as custom OAuth service provider

Results

  1. The existing users can still sign in with custom OAuth service correctly
  2. The non-existent user will NOT able to sign in even they pass the OAuth handshaking (because the user registration was disabled)
    • One of the possible enhancement would be these checks were done in server side, which means the client side won't able to know why they failed to sign in without any logs _(;3

@LouisSung
Fix user creation for custom OAuth when registration disabled
c4e2434 
When the `Accounts_Registration_AuthenticationServices_Enabled` is set
as false, the user should not be created via custom OAuth service.

Resolves: #15787, #20671
@LouisSung LouisSung mentioned this pull request Jul 4, 2021
Closed
@CLAassistant
Copy link

CLAassistant commented Dec 17, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@LouisSung LouisSung mentioned this pull request Jan 11, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
communityPR
Projects
None yet
Milestone
No milestone
3 participants
@LouisSung @CLAassistant @debdutdeb