8000 OIDC Strict cannot handle existing users if OIDC connection is mismatched · Issue #2225 · tgstation/tgstation-server · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

OIDC Strict cannot handle existing users if OIDC connection is mismatched #2225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Drulikar opened this issue May 19, 2025 · 1 comment
Open

OIDC Strict cannot handle existing users if OIDC connection is mismatched #2225

Drulikar opened this issue May 19, 2025 · 1 comment
Assignees
@Cyberboss
Labels
Bug Something's fucky Reproduction Required Reproduction steps required for issue

Comments

@Drulikar
Copy link
Contributor
Drulikar commented May 19, 2025
edited
Loading

Describe the bug
As explained on discord, OIDC strict mode prevents all user editing, and aborts logins if it ever tries to create a user that already exists.

To Reproduce
Steps to reproduce the behavior:

  1. Start TGS in non-strict OIDC
  2. Create a user with a CanonicalName that will be a future OIDC connection (but either have no OIDC connection or have something that isn't the new OIDC connection exactly)
  3. Restart TGS in strict OIDC
  4. Attempt to log in as the previously created user

Expected behavior
User is able to log in (existing entry is trampled/edited)

Logs
error.txt

Server State: (please complete the following information):

Additional context
https://discord.com/channels/484170914754330625/653425022966169620/1373802880577966182

Solutions:

  • If an OIDC connection exists but needs to be renamed: update OidcConnections set ExternalUserId='NEWOIDC' where ExternalUserId='OLDOIDC';
  • If it doesn't, either drop back to non-strict and add it, or create the entire row in OidcConnections
  • Allow users to be deleted
  • Allow users to have OIDC connections edited
  • Allow TGS to edit an existing user on login that collides
@Drulikar Drulikar added Bug Something's fucky Reproduction Required Reproduction steps required for issue labels May 19, 2025
@Drulikar
Copy link
Contributor Author

Also of note, it seems it will write a new entry to db when attempting to create a new user, and this will also break all future attempts for that user to log in because they don't have an OIDC connection set, and the username can collide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Cyberboss Cyberboss

Labels
Bug Something's fucky Reproduction Required Reproduction steps required for issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cyberboss @Drulikar
0