OIDC link user by iss/sub

api/oidc.go

@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -56,6 +58,7 @@ func NewOIDC(conf *config.Configuration, db *database.GormDatabase, userChangeNo
 		PasswordStrength:   conf.PassStrength,
 		SecureCookie:       conf.Server.SecureCookie,
 		AutoRegister:       conf.OIDC.AutoRegister,
+		LinkByUsername:     conf.OIDC.LinkByUsername,
 		pendingSessions:    decaymap.NewDecayMap[string, *pendingOIDCSession](time.Now(), pendingSessionMaxAge),
 	}
 }
@@ -83,6 +86,7 @@ type OIDCAPI struct {
 	PasswordStrength   int
 	SecureCookie       bool
 	AutoRegister       bool
+	LinkByUsername     bool
 	pendingSessions    *decaymap.DecayMap[string, *pendingOIDCSession]
 }
 
@@ -196,7 +200,7 @@ func (a *OIDCAPI) ElevateHandler(ctx *gin.Context) {
 //	        $ref: "#/definitions/Error"
 func (a *OIDCAPI) CallbackHandler() gin.HandlerFunc {
 	callback := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, provider rp.RelyingParty, info *oidc.UserInfo) {
-		user, status, err := a.resolveUser(info)
+		user, status, err := a.resolveUser(tokens.IDTokenClaims.GetIssuer(), info)
 		if err != nil {
 			http.Error(w, err.Error(), status)
 			return
@@ -362,7 +366,7 @@ func (a *OIDCAPI) ExternalTokenHandler(ctx *gin.Context) {
 		ctx.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to get user info: %w", err))
 		return
 	}
-	user, status, resolveErr := a.resolveUser(info)
+	user, status, resolveErr := a.resolveUser(tokens.IDTokenClaims.GetIssuer(), info)
 	if resolveErr != nil {
 		ctx.AbortWithError(status, resolveErr)
 		return
@@ -386,32 +390,83 @@ func (a *OIDCAPI) generateState() (string, error) {
 	return hex.EncodeToString(nonce), nil
 }
 
-// resolveUser looks up or creates a user from OIDC userinfo claims.
-func (a *OIDCAPI) resolveUser(info *oidc.UserInfo) (*model.User, int, error) {
+// resolveUser looks up, links, or creates the user bound to an OIDC identity.
+//
+//  1. Look up the user by OIDC id (<iss>#<sub>). If found, use it.
+//  2. Otherwise look up a user by the username claim. If one exists, link it to
+//     this OIDC identity, which requires GOTIFY_OIDC_LINK_BY_USERNAME and
+//     that the user is not already bound to a different identity.
+//  3. Otherwise auto-register a new user, which requires GOTIFY_OIDC_AUTOREGISTER.
+func (a *OIDCAPI) resolveUser(issuer string, info *oidc.UserInfo) (*model.User, int, error) {
+	if issuer == "" {
+		return nil, http.StatusInternalServerError, errors.New("issuer claim was empty")
+	}
+	if _, err := url.Parse(issuer); err != nil {
+		return nil, http.StatusInternalServerError, fmt.Errorf("issuer url %q is not a valid url: %w", issuer, err)
+	}
+	if strings.Contains(issuer, "#") {
+		return nil, http.StatusInternalServerError, fmt.Errorf("issuer url %q may not contain a fragment", issuer)
+	}
+	subject := info.GetSubject()
+	if subject == "" {
+		return nil, http.StatusInternalServerError, errors.New("subject claim was empty")
+	}
+	oidcID := issuer + "#" + subject
+
+	user, err := a.DB.GetUserByOIDC(oidcID)
+	if err != nil {
+		return nil, http.StatusInternalServerError, fmt.Errorf("database error: %w", err)
+	}
+	if user != nil {
+		return user, 0, nil
+	}
+
 	usernameRaw, ok := info.Claims[a.UsernameClaim]
 	if !ok {
 		return nil, http.StatusInternalServerError, fmt.Errorf("username claim %q is missing", a.UsernameClaim)
 	}
 	username := fmt.Sprint(usernameRaw)
 	if username == "" || usernameRaw == nil {
-		return nil, http.StatusInternalServerError, fmt.Errorf("username claim was empty")
+		return nil, http.StatusInternalServerError, errors.New("username claim was empty")
 	}
 
-	user, err := a.DB.GetUserByName(username)
+	byUsername, err := a.DB.GetUserByName(username)
 	if err != nil {
 		return nil, http.StatusInternalServerError, fmt.Errorf("database error: %w", err)
 	}
-	if user == nil {
-		if !a.AutoRegister {
-			return nil, http.StatusForbidden, fmt.Errorf("user does not exist and auto-registration is disabled")
-		}
-		user = &model.User{Name: username, Admin: false, Pass: nil}
-		if err := a.DB.CreateUser(user); err != nil {
-			return nil, http.StatusInternalServerError, fmt.Errorf("failed to create user: %w", err)
-		}
-		if err := a.UserChangeNotifier.fireUserAdded(user.ID); err != nil {
-			log.Error().Err(err).Uint("user_id", user.ID).Msg("Could not notify user change")
-		}
+	if byUsername != nil {
+		return a.linkExistingUser(byUsername, oidcID)
+	}
+	return a.registerUser(username, oidcID)
+}
+
+func (a *OIDCAPI) linkExistingUser(user *model.User, oidcID string) (*model.User, int, error) {
+	if !a.LinkByUsername {
+		log.Warn().Str("oidc_id", oidcID).Str("username", user.Name).Msgf("OIDC login rejected: a local user with the username already exists and %s is disabled", config.EnvOIDCLinkByUsername)
+		return nil, http.StatusForbidden, fmt.Errorf("a local user with the username %s already exists and linking by username is disabled", user.Name)
+	}
+	if user.OIDCID != nil {
+		log.Warn().Str("oidc_id", oidcID).Str("bound_oidc_id", *user.OIDCID).Str("username", user.Name).Msg("OIDC login rejected: the username is already bound to a different OIDC identity")
+		return nil, http.StatusForbidden, fmt.Errorf("the user %s is already bound to a different OIDC identity", user.Name)
+	}
+	user.OIDCID = &oidcID
+	if err := a.DB.UpdateUser(user); err != nil {
+		return nil, http.StatusInternalServerError, fmt.Errorf("failed to bind user to OIDC identity: %w", err)
+	}
+	return user, 0, nil
+}
+
+func (a *OIDCAPI) registerUser(username, oidcID string) (*model.User, int, error) {
+	if !a.AutoRegister {
+		return nil, http.StatusForbidden, errors.New("user does not exist and auto-registration is disabled")
+	}
+	user := &model.User{Name: username, Admin: false, Pass: nil, OIDCID: &oidcID}
+	if err := a.DB.CreateUser(user); err != nil {
+		return nil, http.StatusInternalServerError, fmt.Errorf("failed to create user: %w", err)
+	}
+	log.Info().Str("oidc_id", oidcID).Str("username", user.Name).Msg("OIDC auto registration")
+	if err := a.UserChangeNotifier.fireUserAdded(user.ID); err != nil {
+		log.Error().Err(err).Uint("user_id", user.ID).Msg("Could not notify user change")
 	}
 	return user, 0, nil
 }

api/oidc_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/gotify/server/v2/auth"
 	"github.com/gotify/server/v2/decaymap"
 	"github.com/gotify/server/v2/mode"
+	"github.com/gotify/server/v2/model"
 	"github.com/gotify/server/v2/test"
 	"github.com/gotify/server/v2/test/testdb"
 	"github.com/stretchr/testify/assert"
@@ -19,6 +20,8 @@ import (
 
 var origGenClientToken = generateClientToken
 
+const testIssuer = "https://idp.example.com"
+
 func TestOIDCSuite(t *testing.T) {
 	suite.Run(t, new(OIDCSuite))
 }
@@ -62,83 +65,172 @@ func (s *OIDCSuite) Test_GenerateState_Unique() {
 	assert.NotEqual(s.T(), s1, s2)
 }
 
-func (s *OIDCSuite) Test_ResolveUser_ExistingUser() {
-	s.db.NewUserWithName(1, "alice")
+func (s *OIDCSuite) Test_ResolveUser_ReturningUser_MatchedByOIDCID() {
+	oidcID := testIssuer + "#sub-1"
+	s.db.CreateUser(&model.User{ID: 1, Name: "alice", OIDCID: &oidcID})
 
-	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": "alice"}}
-	user, status, err := s.a.resolveUser(info)
+	// The username claim differs from the stored name; the binding still matches.
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "renamed"}}
+	user, status, err := s.a.resolveUser(testIssuer, info)
 
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), 0, status)
+	assert.Equal(s.T(), uint(1), user.ID)
 	assert.Equal(s.T(), "alice", user.Name)
+	assert.False(s.T(), s.notified)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_LinkByUsername_BindsExistingUser() {
+	s.a.LinkByUsername = true
+	s.db.NewUserWithName(1, "alice")
+
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "alice"}}
+	user, _, err := s.a.resolveUser(testIssuer, info)
+
+	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), uint(1), user.ID)
+	assert.NotNil(s.T(), user.OIDCID)
+	assert.Equal(s.T(), testIssuer+"#sub-1", *user.OIDCID)
+	// Binding an existing user is not a registration, so no notification.
 	assert.False(s.T(), s.notified)
+
+	bound, err := s.db.GetUserByOIDC(testIssuer + "#sub-1")
+	assert.NoError(s.T(), err)
+	assert.NotNil(s.T(), bound)
+	assert.Equal(s.T(), uint(1), bound.ID)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_InvalidIssuer() {
+	s.db.NewUserWithName(1, "alice")
+
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "alice"}}
+	_, status, err := s.a.resolveUser("://example.org", info)
+
+	assert.EqualError(s.T(), err, `issuer url "://example.org" is not a valid url: parse "://example.org": missing protocol scheme`)
+	assert.Equal(s.T(), 500, status)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_InvalidIssuer_containsFragment() {
+	s.db.NewUserWithName(1, "alice")
+
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "alice"}}
+	_, status, err := s.a.resolveUser(testIssuer+"#", info)
+
+	assert.EqualError(s.T(), err, `issuer url "https://idp.example.com#" may not contain a fragment`)
+	assert.Equal(s.T(), 500, status)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_LinkDisabled_RejectsExistingUsername() {
+	s.db.NewUserWithName(1, "alice")
+
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "alice"}}
+	_, status, err := s.a.resolveUser(testIssuer, info)
+
+	assert.EqualError(s.T(), err, "a local user with the username alice already exists and linking by username is disabled")
+	assert.Equal(s.T(), 403, status)
+
+	// The existing user must not have been bound.
+	user, _ := s.db.GetUserByName("alice")
+	assert.Nil(s.T(), user.OIDCID)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_LinkByUsername_RejectsDifferentIdentity() {
+	s.a.LinkByUsername = true
+	otherID := testIssuer + "#other-sub"
+	s.db.CreateUser(&model.User{ID: 1, Name: "alice", OIDCID: &otherID})
+
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "alice"}}
+	_, status, err := s.a.resolveUser(testIssuer, info)
+
+	assert.EqualError(s.T(), err, "the user alice is already bound to a different OIDC identity")
+	assert.Equal(s.T(), 403, status)
 }
 
 func (s *OIDCSuite) Test_ResolveUser_AutoRegister() {
-	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": "newuser"}}
-	user, status, err := s.a.resolveUser(info)
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "newuser"}}
+	user, status, err := s.a.resolveUser(testIssuer, info)
 
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), 0, status)
 	assert.Equal(s.T(), "newuser", user.Name)
 	assert.False(s.T(), user.Admin)
+	assert.NotNil(s.T(), user.OIDCID)
+	assert.Equal(s.T(), testIssuer+"#sub-1", *user.OIDCID)
 	assert.True(s.T(), s.notified)
 
-	// verify persisted
-	dbUser, err := s.db.GetUserByName("newuser")
+	// Verify persisted and bound.
+	dbUser, err := s.db.GetUserByOIDC(testIssuer + "#sub-1")
 	assert.NoError(s.T(), err)
 	assert.NotNil(s.T(), dbUser)
+	assert.Equal(s.T(), "newuser", dbUser.Name)
 }
 
 func (s *OIDCSuite) Test_ResolveUser_AutoRegisterDisabled() {
 	s.a.AutoRegister = false
-	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": "newuser"}}
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "newuser"}}
 
-	_, status, err := s.a.resolveUser(info)
+	_, status, err := s.a.resolveUser(testIssuer, info)
 
-	assert.Error(s.T(), err)
+	assert.EqualError(s.T(), err, "user does not exist and auto-registration is disabled")
 	assert.Equal(s.T(), 403, status)
 	s.db.AssertUsernameNotExist("newuser")
 }
 
+func (s *OIDCSuite) Test_ResolveUser_MissingIssuer() {
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": "newuser"}}
+
+	_, status, err := s.a.resolveUser("", info)
+
+	assert.EqualError(s.T(), err, "issuer claim was empty")
+	assert.Equal(s.T(), 500, status)
+}
+
+func (s *OIDCSuite) Test_ResolveUser_MissingSubject() {
+	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": "newuser"}}
+
+	_, status, err := s.a.resolveUser(testIssuer, info)
+
+	assert.EqualError(s.T(), err, "subject claim was empty")
+	assert.Equal(s.T(), 500, status)
+}
+
 func (s *OIDCSuite) Test_ResolveUser_MissingClaim() {
-	info := &oidc.UserInfo{Claims: map[string]any{}}
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{}}
 
-	_, status, err := s.a.resolveUser(info)
+	_, status, err := s.a.resolveUser(testIssuer, info)
 
-	assert.Error(s.T(), err)
+	assert.EqualError(s.T(), err, `username claim "preferred_username" is missing`)
 	assert.Equal(s.T(), 500, status)
-	assert.Contains(s.T(), err.Error(), "preferred_username")
 }
 
 func (s *OIDCSuite) Test_ResolveUser_EmptyClaim() {
-	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": ""}}
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": ""}}
 
-	_, status, err := s.a.resolveUser(info)
+	_, status, err := s.a.resolveUser(testIssuer, info)
 
-	assert.Error(s.T(), err)
+	assert.EqualError(s.T(), err, "username claim was empty")
 	assert.Equal(s.T(), 500, status)
 }
 
 func (s *OIDCSuite) Test_ResolveUser_NilClaim() {
-	info := &oidc.UserInfo{Claims: map[string]any{"preferred_username": nil}}
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"preferred_username": nil}}
 
-	_, status, err := s.a.resolveUser(info)
+	_, status, err := s.a.resolveUser(testIssuer, info)
 
-	assert.Error(s.T(), err)
+	assert.EqualError(s.T(), err, "username claim was empty")
 	assert.Equal(s.T(), 500, status)
 }
 
 func (s *OIDCSuite) Test_ResolveUser_CustomClaim() {
 	s.a.UsernameClaim = "email"
-	s.db.NewUserWithName(1, "alice@example.com")
 
-	info := &oidc.UserInfo{Claims: map[string]any{"email": "alice@example.com"}}
-	user, _, err := s.a.resolveUser(info)
+	info := &oidc.UserInfo{Subject: "sub-1", Claims: map[string]any{"email": "new@example.com"}}
+	user, status, err := s.a.resolveUser(testIssuer, info)
 
 	assert.NoError(s.T(), err)
-	assert.Equal(s.T(), "alice@example.com", user.Name)
+	assert.Equal(s.T(), 0, status)
+	assert.Equal(s.T(), "new@example.com", user.Name)
+	assert.NotNil(s.T(), user.OIDCID)
 }
 
 // --- createClient ---
@@ -170,6 +262,7 @@ func (s *OIDCSuite) Test_ExternalAuthorizeHandler_MissingFields() {
 	s.a.ExternalAuthorizeHandler(s.ctx)
 
 	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.Contains(s.T(), s.ctx.Errors.Last().Error(), "'CodeChallenge' failed on the 'required' tag")
 }
 
 // --- ExternalTokenHandler ---
@@ -181,6 +274,7 @@ func (s *OIDCSuite) Test_ExternalTokenHandler_InvalidJSON() {
 	s.a.ExternalTokenHandler(s.ctx)
 
 	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.Contains(s.T(), s.ctx.Errors.Last().Error(), "invalid character")
 }
 
 func (s *OIDCSuite) Test_ExternalTokenHandler_UnknownState() {
@@ -192,4 +286,5 @@ func (s *OIDCSuite) Test_ExternalTokenHandler_UnknownState() {
 	s.a.ExternalTokenHandler(s.ctx)
 
 	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.EqualError(s.T(), s.ctx.Errors.Last(), "unknown or expired state")
 }