Add the ability to enable/disable registrations when in the OIDC flow (#14978)

Signed-off-by: Warren Bailey <warren@warrenbailey.net>
2025-09-28 00:50:53 -04:00 · 2023-03-30 12:09:41 +01:00 · 2023-03-30 12:09:41 +01:00 · a3bad89d57
commit a3bad89d57
parent 9228ae633f
6 changed files with 44 additions and 3 deletions
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@ -136,6 +136,7 @@ OIDC_PROVIDER_CONFIG_SCHEMA = {
            "type": "array",
            "items": SsoAttributeRequirement.JSON_SCHEMA,
        },
+        "enable_registration": {"type": "boolean"},
    },
 }

@ -306,6 +307,7 @@ def _parse_oidc_config_dict(
        user_mapping_provider_class=user_mapping_provider_class,
        user_mapping_provider_config=user_mapping_provider_config,
        attribute_requirements=attribute_requirements,
+        enable_registration=oidc_config.get("enable_registration", True),
    )


@ -405,3 +407,6 @@ class OidcProviderConfig:

    # required attributes to require in userinfo to allow login/registration
    attribute_requirements: List[SsoAttributeRequirement]
+
+    # Whether automatic registrations are enabled in the ODIC flow. Defaults to True
+    enable_registration: bool
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@ -1239,6 +1239,7 @@ class OidcProvider:
            grandfather_existing_users,
            extra_attributes,
            auth_provider_session_id=sid,
+            registration_enabled=self._config.enable_registration,
        )

    def _remote_id_from_userinfo(self, userinfo: UserInfo) -> str:
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@ -383,6 +383,7 @@ class SsoHandler:
        grandfather_existing_users: Callable[[], Awaitable[Optional[str]]],
        extra_login_attributes: Optional[JsonDict] = None,
        auth_provider_session_id: Optional[str] = None,
+        registration_enabled: bool = True,
    ) -> None:
        """
        Given an SSO ID, retrieve the user ID for it and possibly register the user.
@ -435,6 +436,10 @@ class SsoHandler:

            auth_provider_session_id: An optional session ID from the IdP.

+            registration_enabled: An optional boolean to enable/disable automatic
+            registrations of new users. If false and the user does not exist then the
+            flow is aborted. Defaults to true.
+
        Raises:
            MappingException if there was a problem mapping the response to a user.
            RedirectException: if the mapping provider needs to redirect the user
@ -462,8 +467,16 @@ class SsoHandler:
                        auth_provider_id, remote_user_id, user_id
                    )

-            # Otherwise, generate a new user.
-            if not user_id:
+            if not user_id and not registration_enabled:
+                logger.info(
+                    "User does not exist and registration are disabled for IdP '%s' and remote_user_id '%s'",
+                    auth_provider_id,
+                    remote_user_id,
+                )
+                raise MappingException(
+                    "User does not exist and registrations are disabled"
+                )
+            elif not user_id:  # Otherwise, generate a new user.
                attributes = await self._call_attribute_mapper(sso_to_matrix_id_mapper)

                next_step_url = self._get_url_for_next_new_user_step(