tgstation
OIDC Strict cannot handle existing users if OIDC connection is mismatched
Describe the bug As explained on discord, OIDC strict mode prevents all user editing, and aborts logins if it ever tries to create a user that already exists.
To Reproduce Steps to reproduce the behavior:
- Start TGS in non-strict OIDC
- Create a user with a CanonicalName that will be a future OIDC connection (but either have no OIDC connection or have something that isn't the new OIDC connection exactly)
- Restart TGS in strict OIDC
- Attempt to log in as the previously created user
Expected behavior User is able to log in (existing entry is trampled/edited)
Logs error.txt
Server State: (please complete the following information):
- OS: Linux (Manjaro)
- Version: v6.18.0 https://discord.com/channels/484170914754330625/653425022966169620/1370758808657199156
- Database Type/Version: Mysql 8.4.5
- BYOND Version Used: N/A
- git Repository Used: N/A
- Origin Commit hash Used: N/A
- Active Test Merges: N/A
- Client Version: v6.10.0 (GITHUB)
Additional context https://discord.com/channels/484170914754330625/653425022966169620/1373802880577966182
Solutions:
- If an OIDC connection exists but needs to be renamed:
update OidcConnections set ExternalUserId='NEWOIDC' where ExternalUserId='OLDOIDC'; - If it doesn't, either drop back to non-strict and add it, or create the entire row in OidcConnections
- Allow users to be deleted
- Allow users to have OIDC connections edited
- Allow TGS to edit an existing user on login that collides
Also of note, it seems it will write a new entry to db when attempting to create a new user, and this will also break all future attempts for that user to log in because they don't have an OIDC connection set, and the username can collide.