Allow disabling registration via OIDC and only limiting SSO to sign-in

[digitalentity]

Description:

For some setups that don't allow user registration it may be worthwhile to allow OIDC or OAuth2.0 sign-in for user convenience. However, I haven't found a way to disable creation of new users via OIDC. Sign-in works, but it also enables new users to sign-in to the server freely.

It would be great to change allow_existing_users (or have a new setting) with an enum:

• no = don't allow sign-in for an existing user
• yes = allow sign-in for a pre-existing user w/o OIDC mapping
• only = implies yes, but additionaly restricts the sign-in to match only pre-existing users

[clokep]

If you want to limit using Synapse to a subset of your SSO users you can likely use probably use the attribute_requirements flag on the OIDC provider config. (SAML has something similar too.)

[digitalentity]

Good point, but it doesn't cover my use-case unfortunately. In my case users are created on my homeserver and I would like them to be able to authenticate via their Google accounts.

There is no distinction between a Google account of a user who is allowed to access my server and Google account of a user who shouldn't access my server - therefore attribute_requirements won't give me an option to prevent an arbitrary user from signing up.

[clokep]

I'm a bit confused about you use-case, is your hope that you can:

1. Configure SSO to Google.
2. Register a handful of users (by logging in once with them).
3. Disable new users from logging in.

Does that match what you're trying to do?

If so, I think you can implement 3 by putting something bogus in attribute_requirements since it is only checked during creation of the user.

I do wonder if the SSO code should check enable_registration flag though. Although I suspect it can't really cause that's for different flows...

[digitalentity]

Does that match what you're trying to do?

Precisely. I didn't know that attribute_requirements is checked only during user creation and is not checked during the user login. That's indeed a suitable workaround, although rather fragile IMO.

I do wonder if the SSO code should check enable_registration flag though. Although I suspect it can't really cause that's for different flows...

I was wonder about that as well. Creation of a new user is effectively registration, imagine how surprised I was when I saw new users on my server created despite enable_registration being false 😄

[clokep]

Does that match what you're trying to do?

Precisely. I didn't know that attribute_requirements is checked only during user creation and is not checked during the user login. That's indeed a suitable workaround, although rather fragile IMO.

It is a bit of a hack (and probably a bug that it doesn't check it at each login...)

I do wonder if the SSO code should check enable_registration flag though. Although I suspect it can't really cause that's for different flows...

I was wonder about that as well. Creation of a new user is effectively registration, imagine how surprised I was when I saw new users on my server created despite enable_registration being false 😄

👍 Yeah, I understand now what you're hoping for!

[warrenbailey]

I had this problem too, I was seeing users being registered that didn't have an account but did have a valid SSO sign in.

I've raised a PR which adds a check to the OIDC flow for the enabled registration flag. If it's disabled it raises an error and stops the user being registered automatically. They are then redirected to the error page.