Contrib.social

Users can't change email address in account (reopened)

Open on Drupal.org β†’
Created on 9 September 2022, over 2 years ago
Updated 25 January 2023, almost 2 years ago

This is based on #3046635, but we can't post there because that issue was auto-closed.

Problem

Users who have a Drupal account provisioned when logging in with OpenID can't change their email address via their user account settings form, because Drupal requires entering a password to change email address.

Steps to reproduce

1. Install and configure openid_connect module to provision new Drupal accounts if one does not already exist.
2. Log in to a site using OpenID (for example, with Facebook or Google.) Be sure to log in with a user that doesn't already exist on the Drupal site.
3. Visit account settings form and attempt to change email address.
4. Upon submitting the form, you will see this error: `Your current password is missing or incorrect; it's required to change the email address.`

Proposed resolution

  1. Override the default user ProtectedUserFieldConstraint constraint & validator classes to bypass password check if user does not have access to set a password.
  2. Ensure that the data is also updated at the IDP.

Remaining tasks

Tests.

πŸ› Bug report
Status

Needs work

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States aasarava

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦

    I don't see anything in the code that'll update the e-mail address at the IDP, or am I missing something?

    I think we need to either:

    • Send data there after we update it in Drupal, or
    • Direct users to the IDP to change their password there (and then update Drupal)?

    The latter probably makes more sense because we want to do that first as it's authoritative (and may have its own rules), and then only update Drupal if it happens over there.

  • Comment almost 2 years ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦
  • Comment almost 2 years ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦

    After further thought (and looking into how Auth0 can support this, or rather doesn't as there's no user-facing front-end for it), I think we need to go with a third option, which includes the following:

    • If the IDP's plugin implements the necessary method for making the change at the IDP:
      1. Allow the change in Drupal (with the work done already), and then
      2. Make the change at the IDP.
    • Otherwise,
      1. Prevent e-mail address changes by greying out the field

      • So we'd need a new method called something like updateUserEmailAddressAtIdp() in OpenIDConnectClientBase. If the plugin in use doesn't implement it, it won't be possible for users to change their e-mail addresses.

      But how do we verify the new e-mail addresses? πŸ› Use email verification when changing user email addresses Needs work isn't in yet, and we'd need to depend on another contrib module if we go with Email Confirmer β†’ . Maybe we should simply document that one of these options, either a core patch or the contrib module, is recommended, and leave it at that.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pfrilling Minster, OH

    A Drupal user account that gets provisioned through any OpenID client should be considered a federated member. Thus, the Identity Provider (IDP) which provisioned the user should be considered the canonical source for the member's data. Any updates to the member's data should be done on that platform.

    In order to allow for changes to account data within Drupal, I believe a federated member should disconnect their IDP and then follow a password reset process.

    I am in support of disabling the member's email/password fields in these situations. We could probably take it a step farther and provide an action that disconnects them from their IDP and then initiates a password reset to the email stored in the Drupal user account. Then, they could change their password and reconnect to an IDP if they chose.

    As for updating an IDP with updates in Drupal: I do think it would be possible to bubble account changes from Drupal back up to a trusted IDP through an API request, but I believe that is a pretty specific requirement and should live in a projects custom code. There are too many variables at play with too many different API requests for it to live here.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024