Account changes in pre-authorize are not linked via ExternalAuth

Created on 10 August 2022, over 2 years ago

Updated 26 September 2023, over 1 year ago

Problem/Motivation

Account changes in hook_openid_connect_pre_authorize are not linked to the user via External Authentication (externalauth)'s linkExistingAccount / authmap table. This also has ramifications on the logout, because if the user is not linked via externalauth the logout functionality does not fire - i.e. the user will not be logged out of their IdP even if you specify that they should.

Steps to reproduce

Install and configure this module and a client to use that supports logout; configure it to perform the IdP logout on logout
Create a Drupal account that you will connect to using the client
Implement hook_openid_connect_pre_authorize and use some identifying info in the context to determine when to return the account you created; for simplicity, you could duplicate the email matching logic in OpenIDConnect->completeAuthorization to choose a user (obviously this isn't a real use case, but it will demonstrate the problem that occurs if you are customizing how the user is connected)
Log in as the user via the client
Go to the /user/{user}/connected-accounts page, note that the connection is not listed
Check the ExternalAuth module's authmap table; note that the user mapping is not there
Log out; note that you were not logged out of your provider (this will be evident if you go to sign in again)

Proposed resolution

In OpenIDConnect->completeAuthorization, if the $account is a UserInterface, link the account before saving the user info.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

bgustafson

Live updates comments and jobs are added and updated live.

Incomplete comments

Merge Requests

!152Account changes in pre-authorize are not linked via ExternalAuth
Open
Unnamed author
updated 13 days ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇺🇸United States pcate
Would this issue also cause a change in a users sub to not update in the authmap table?
Comment 13 days ago →
bgustafson
I'm not sure, but it certainly seems plausible. I've had this patched locally for a couple years so I'm not positive, but that does seem vaguely familiar and might be one of the things I ran into. I'm planning to open a merge request with the changes.
Merge request !152Draft: Link existing account from pre-authorize (Issue #3302944) → (Open) created by Unnamed author
Pipeline finished with Success
13 days ago
Total: 277s
#462551
Comment 13 days ago →
bgustafson

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024