[feature] overhaul the oidc system (#961)

* [feature] overhaul the oidc system this allows for more flexible username handling and prevents account takeover using old email addresses * [feature] add migration path for old OIDC users * [feature] nicer error reporting for users * [docs] document the new OIDC flow * [fix] return early on oidc error * [docs]: add comments on the finalization logic
2025-12-15 13:33:00 -06:00 · 2022-12-06 14:15:56 +01:00 · 2022-12-06 14:15:56 +01:00 · 199b685f43
commit 199b685f43
parent 1a3f26fb5c
20 changed files with 335 additions and 119 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -114,6 +114,7 @@ type Configuration struct {
 	OIDCClientID         string   `name:"oidc-client-id" usage:"ClientID of GoToSocial, as registered with the OIDC provider."`
 	OIDCClientSecret     string   `name:"oidc-client-secret" usage:"ClientSecret of GoToSocial, as registered with the OIDC provider."`
 	OIDCScopes           []string `name:"oidc-scopes" usage:"OIDC scopes."`
+	OIDCLinkExisting     bool     `name:"oidc-link-existing" usage:"link existing user accounts to OIDC logins based on the stored email value"`

 	SMTPHost     string `name:"smtp-host" usage:"Host of the smtp server. Eg., 'smtp.eu.mailgun.org'"`
 	SMTPPort     int    `name:"smtp-port" usage:"Port of the smtp server. Eg., 587"`
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@ -87,6 +87,7 @@ var Defaults = Configuration{
 	OIDCClientID:         "",
 	OIDCClientSecret:     "",
 	OIDCScopes:           []string{oidc.ScopeOpenID, "profile", "email", "groups"},
+	OIDCLinkExisting:     false,

 	SMTPHost:     "",
 	SMTPPort:     0,
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@ -1545,6 +1545,31 @@ func GetOIDCScopes() []string { return global.GetOIDCScopes() }
 // SetOIDCScopes safely sets the value for global configuration 'OIDCScopes' field
 func SetOIDCScopes(v []string) { global.SetOIDCScopes(v) }

+// GetOIDCLinkExisting safely fetches the Configuration value for state's 'OIDCLinkExisting' field
+func (st *ConfigState) GetOIDCLinkExisting() (v bool) {
+	st.mutex.Lock()
+	v = st.config.OIDCLinkExisting
+	st.mutex.Unlock()
+	return
+}
+
+// SetOIDCLinkExisting safely sets the Configuration value for state's 'OIDCLinkExisting' field
+func (st *ConfigState) SetOIDCLinkExisting(v bool) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.OIDCLinkExisting = v
+	st.reloadToViper()
+}
+
+// OIDCLinkExistingFlag returns the flag name for the 'OIDCLinkExisting' field
+func OIDCLinkExistingFlag() string { return "oidc-link-existing" }
+
+// GetOIDCLinkExisting safely fetches the value for global configuration 'OIDCLinkExisting' field
+func GetOIDCLinkExisting() bool { return global.GetOIDCLinkExisting() }
+
+// SetOIDCLinkExisting safely sets the value for global configuration 'OIDCLinkExisting' field
+func SetOIDCLinkExisting(v bool) { global.SetOIDCLinkExisting(v) }
+
 // GetSMTPHost safely fetches the Configuration value for state's 'SMTPHost' field
 func (st *ConfigState) GetSMTPHost() (v string) {
 	st.mutex.Lock()
@ -1919,3 +1944,4 @@ func GetAdminMediaPruneDryRun() bool { return global.GetAdminMediaPruneDryRun()

 // SetAdminMediaPruneDryRun safely sets the value for global configuration 'AdminMediaPruneDryRun' field
 func SetAdminMediaPruneDryRun(v bool) { global.SetAdminMediaPruneDryRun(v) }
+