Allow OIDC for existing users

[OmmyZhang]

Allows merging oidc with existing users and allows always using userinfo endpoint.
a patch by @BBBSnowball

fix #7633 and #8155

[clokep]

@OmmyZhang Can you merge develop in again? We had a broken test that got fixed an hour or so ago. Sorry about that! 👍

[clokep]

This replaces #8178 (just to cross-link).

[richvdh]

please could you separate this into two PRs: one for the gitlab fix, and the other for the existing users?

[OmmyZhang]

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

[clokep]

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

I think the changes for GitLab are already up as #7658.

[OmmyZhang]

@richvdh Sure!
This PR is based on BBBSnowball's patch, so maybe it's not good to rewrite all changes (and erase his contribution). How about this: I will undo changes for the gitlab fix, and after this PR is merged, I will revert this undoing (on another branch) to make the other PR.

I think the changes for GitLab are already up as #7658.

Great. Now things are easier.

[richvdh]

thanks for this! A few comments.

[richvdh]

it is not a given that the registered user id is the same as the id we looked up (note: "_case_insensitive".) get_users_by_id_case_insensitive returns a dict of potiental matches. please use it.

[richvdh]

the docstring on this method says:

    If a user already exists with the mxid we've mapped, raise an exception.

Please update it.

[richvdh]

Suggested change

	This adds config option that allows merging OpenID Connect users with existing users.
	Add a configuration option that allows existing users to log in with OpenID Connect. Contributed by @BBBSnowball and @OmmyZhang.

[richvdh]

this doesn't seem a great name for this option. How about allow_existing_users ?

[richvdh]

https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format says:

For boolean (on/off) options, convention is that this example should be the opposite to the default (so the comment will end with "Uncomment the following to enable [or disable] ."

please could you follow the conventions.

[OmmyZhang]

@richvdh thanks for your suggestions. Now it's updated.

[clokep]

I think it is close! Just a couple more details to work out!

[clokep]

Can matches have multiple items? Should we still error in that case? It feels arbitrary to choose the first one. At the very least I think we should log something.

[OmmyZhang]

I think there can't be more than one item as the same (case insensitive) usernames are not allowed. This is also why we need get_users_by_id_case_insensitive.

synapse/synapse/handlers/register.py

Lines 111 to 116 in efb6b66

	users = await self.store.get_users_by_id_case_insensitive(user_id)
	if users:
	if not guest_access_token:
	raise SynapseError(
	400, "User ID already taken.", errcode=Codes.USER_IN_USE
	)

Maybe we should log something if there're more than one, to show that something goes wrong? But it's a little strange. If we do, we should also do this in many other places.

[OmmyZhang]

Well, I find auth considers more. But I still can't understand why there can be multiple matches. Maybe for backward compatibility？

synapse/synapse/handlers/auth.py

Lines 753 to 758 in efb6b66

	elif user_id in user_infos:
	# multiple matches, but one is exact
	result = (user_id, user_infos[user_id])
	else:
	# multiple matches, none of them exact
	logger.warning(

[clokep]

Suggested change

	If a user already exists with the mxid we've mapped and allow_existing_users
	is disabled , raise an exception.
	If a user already exists with the mxid we've mapped and allow_existing_users
	is disabled, raise an exception.

[clokep]

I don't think this comment is very descriptive -- what's the token that's being added? Why would I turn this on?

Suggested change

	# Uncomment to add oidc token to the account instead of failing when user already exists. Defaults to false.
	# Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
	# of failing. This could be used if switching from password logins to OIDC. Defaults to false.

[OmmyZhang]

Sorry I have to create a new PR as I realized that this branch can't be auto-updated after I delete my repository and re-fork from matrix-org/synapse.

#8345 will replace this one.