Prefer matching users on OIDC sub

As in theory emails can be changed in Keycloak, we should prefer to match on Keycloak's "unique user identifier".
archlinux · Nov 3, 2023 · 01eb4d4 · 01eb4d4
1 parent 1484c78
commit 01eb4d4
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/devel/auth/DevelOIDCAuthenticationBackend.py b/devel/auth/DevelOIDCAuthenticationBackend.py
@@ -36,6 +36,24 @@ class MyOIDCAB(OIDCAuthenticationBackend):
     SUPPORTSTAFF_GROUP = Group.objects.get(name='Support Staff')
     TESTERS_GROUP = Group.objects.get(name='Testers')
 
+    def filter_users_by_claims(self, claims):
+        """Return all users matching the specified email. Overriden to first match on sub
+        """
+        sso_accountid = claims.get('sub')
+        if not sso_accountid:
+            return self.UserModel.objects.none()
+
+        email = claims.get('email')
+        if not email:
+            return self.UserModel.objects.none()
+
+        profile = UserProfile.objects.filter(sso_accountid=sso_accountid).first()
+        if profile:
+            return self.UserModel.objects.filter(id=profile.user.id)
+
+        # Fallback on email
+        return self.UserModel.objects.filter(email__iexact=email)
+
     def update_user_groups(self, user, claims, new=False):
         # TODO: reset groups / repositories if things changed?!
         is_devops = DEVOPS_ROLE in claims.get('roles', [])