Cannot enforce IDP-only account creation

Created on 1 February 2023, almost 2 years ago
Updated 6 October 2023, about 1 year ago

It's not currently possible to enforce IDP-only account creation. Here are the possible scenarios:

Scenario 1

If you set Who can register accounts? to Visitors, the Create new account tab (at /user/register) shows up, which is bad because accounts will be created in Drupal only, outside of the IDP.

Scenario 2

If you set Who can register accounts? to Administrators only in order to prevent that tab/form from showing up, users attempting to log into the site via SSO (while being created on the fly at the IDP) will be hit with

Only administrators can register new accounts.

Proposals

Option 1

If the Replace option is selected under OpenID buttons display in user login form, remove the Create new account form (/user/register), just like it is when only administrators can create accounts (and mention this in the in-line help text for the setting).

So I think we should go with Option 1.

Option 2

Don't do it automatically when Replace is selected. Instead, add another option in the settings for "Disable account creation when Replace is selected" or some such. I don't like this option because it introduces yet another setting.

🐛 Bug report
Status

Needs work

Version

3.0

Component

User interface

Created by

🇨🇦Canada colan Toronto 🇨🇦

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @colan
  • Assigned to colan
  • 🇨🇦Canada colan Toronto 🇨🇦

    I'm working on adding an access check for the user.register route that will disallow when:

    • Replace is selected and
    • the showcore URL parameter is missing
  • @colan opened merge request.
  • Status changed to Needs review almost 2 years ago
  • 🇨🇦Canada colan Toronto 🇨🇦
  • 🇨🇦Canada colan Toronto 🇨🇦

    Here's a patch for Composer.

  • Status changed to Needs work almost 2 years ago
  • 🇧🇪Belgium BramDriesen Belgium 🇧🇪

    I don't think this is this approach is the best way forward for a few reasons.

    We have websites with a mix of both Drupal managed users and users coming from different systems. So just checking if the "replace" option is checked will not work in that case.

    Also, isn't that why there is an option in the settings called "Override registration settings" ?

    If enabled, user creation will always be allowed, even if the registration setting is set to require admin approval, or only allowing admins to create users.

  • 🇦🇺Australia realityloop

    I've just created a patch that adds an additional checkbox to openid_connect settings that allows both account creation and approval see #2974381

Production build 0.71.5 2024