Contrib.social

Cannot enforce IDP-only account creation

Open on Drupal.org β†’
Created on 1 February 2023, over 1 year ago
Updated 6 October 2023, 9 months ago

It's not currently possible to enforce IDP-only account creation. Here are the possible scenarios:

Scenario 1

If you set Who can register accounts? to Visitors, the Create new account tab (at /user/register) shows up, which is bad because accounts will be created in Drupal only, outside of the IDP.

Scenario 2

If you set Who can register accounts? to Administrators only in order to prevent that tab/form from showing up, users attempting to log into the site via SSO (while being created on the fly at the IDP) will be hit with

Only administrators can register new accounts.

Proposals

Option 1

If the Replace option is selected under OpenID buttons display in user login form, remove the Create new account form (/user/register), just like it is when only administrators can create accounts (and mention this in the in-line help text for the setting).

So I think we should go with Option 1.

Option 2

Don't do it automatically when Replace is selected. Instead, add another option in the settings for "Disable account creation when Replace is selected" or some such. I don't like this option because it introduces yet another setting.

πŸ› Bug report
Status

Needs work

Version

3.0

Component

User interface

Created by

πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @colan
  • Assigned to colan
  • Comment over 1 year ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦

    I'm working on adding an access check for the user.register route that will disallow when:

    • Replace is selected and
    • the showcore URL parameter is missing
  • @colan opened merge request.
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦
  • Comment over 1 year ago β†’
    πŸ‡¨πŸ‡¦Canada colan Toronto πŸ‡¨πŸ‡¦

    Here's a patch for Composer.

  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    I don't think this is this approach is the best way forward for a few reasons.

    We have websites with a mix of both Drupal managed users and users coming from different systems. So just checking if the "replace" option is checked will not work in that case.

    Also, isn't that why there is an option in the settings called "Override registration settings" ?

    If enabled, user creation will always be allowed, even if the registration setting is set to require admin approval, or only allowing admins to create users.

  • Comment 9 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia realityloop

    I've just created a patch that adds an additional checkbox to openid_connect settings that allows both account creation and approval see #2974381

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024