From 96641f273eb21f047a5f2d607896785f922d31bc Mon Sep 17 00:00:00 2001 From: Vincent Danjean Date: Sun, 28 Dec 2025 21:26:47 +0100 Subject: [PATCH 1/2] bugfix: correctly handles error in register_user() If register_user() fails (existing login, existing email, etc.), do not record $sub with NULL/empty id and add error message (in logs and in the webapp for the user that just successully authenticate) --- oidc.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/oidc.php b/oidc.php index 524ae85..2090fc8 100644 --- a/oidc.php +++ b/oidc.php @@ -126,9 +126,18 @@ function oidc_retrieve(OpenIDConnectClient $oidc, $force_registration = false) { // If the user is not found, try to register if (empty($row['id'])) { if ($config['register_new_users'] || $force_registration) { - // Registration is allowed, overwrite $row + // Registration is allowed, overwrite $row on success $errors = []; - $row['id'] = register_user($name, random_pass(), $email, $config['notify_admins_on_register'], $errors, $config['notify_user_on_register']); + $id = register_user($name, random_pass(), $email, $config['notify_admins_on_register'], $errors, $config['notify_user_on_register']); + if (!empty($errors) or !$id) { + if (!isset($_SESSION['page_errors'])) { + $_SESSION['page_errors'] = []; + } + $_SESSION['page_errors'] += $errors; + trigger_error("A problem occurred during OIDC user '".$name."' registration. Local user already existing?"); + return null; + } + $row['id'] = $id; single_insert(OIDC_TABLE, [ 'sub' => $sub, 'user_id' => $row['id'], From b8e2b9b76aef147b9a6ba3a1f7e0092812eabd21 Mon Sep 17 00:00:00 2001 From: Vincent Danjean Date: Sun, 28 Dec 2025 21:36:10 +0100 Subject: [PATCH 2/2] feature: allows one to connect an OIDC account to an already existing piwigo account This feature is useful when previous account already exists. It can happen when accounts where handled by the ldap plugin and we want to switch to the OIDC plugin. --- admin.php | 1 + conf.php | 1 + maintain.class.php | 1 + oidc.php | 14 +++++++++++--- template/config.tpl | 7 +++++++ 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/admin.php b/admin.php index a427259..e052dfe 100644 --- a/admin.php +++ b/admin.php @@ -91,6 +91,7 @@ 'verify_peer' => isset($_POST['verify_peer']), 'authparam' => $_POST['authparam'], 'register_new_users' => isset($_POST['register_new_users']), + 'link_to_existing_users' => isset($_POST['link_to_existing_users']), 'redirect_new_to_profile' => isset($_POST['redirect_new_to_profile']), 'notify_admins_on_register' => isset($_POST['notify_admins_on_register']), 'notify_user_on_register' => isset($_POST['notify_user_on_register']), diff --git a/conf.php b/conf.php index 4600150..6660272 100644 --- a/conf.php +++ b/conf.php @@ -30,6 +30,7 @@ // 'verify_peer' => false, // 'authparam' => '', // 'register_new_users' => false, + // 'link_to_existing_users' => false, // 'redirect_new_to_profile' => false, // 'notify_admins_on_register' => false, // 'notify_user_on_register' => false, diff --git a/maintain.class.php b/maintain.class.php index 7c2bd45..d9a0e67 100644 --- a/maintain.class.php +++ b/maintain.class.php @@ -34,6 +34,7 @@ class OpenIdConnect_maintain extends PluginMaintain 'verify_peer' => true, 'authparam' => '', 'register_new_users' => true, + 'link_to_existing_users' => false, 'redirect_new_to_profile' => false, 'notify_admins_on_register' => false, 'notify_user_on_register' => false, diff --git a/oidc.php b/oidc.php index 2090fc8..b096866 100644 --- a/oidc.php +++ b/oidc.php @@ -125,8 +125,13 @@ function oidc_retrieve(OpenIDConnectClient $oidc, $force_registration = false) { // If the user is not found, try to register if (empty($row['id'])) { - if ($config['register_new_users'] || $force_registration) { - // Registration is allowed, overwrite $row on success + $id = false; + if ($config['link_to_existing_users']) { + // Trying to find a already existing account with same login + $id = get_userid($name); + } + if (!$id && ($config['register_new_users'] || $force_registration)) { + // Registration is allowed, trying to register $errors = []; $id = register_user($name, random_pass(), $email, $config['notify_admins_on_register'], $errors, $config['notify_user_on_register']); if (!empty($errors) or !$id) { @@ -137,13 +142,16 @@ function oidc_retrieve(OpenIDConnectClient $oidc, $force_registration = false) { trigger_error("A problem occurred during OIDC user '".$name."' registration. Local user already existing?"); return null; } + } + if ($id) { + // User account found (existing or just created), overwrite $row $row['id'] = $id; single_insert(OIDC_TABLE, [ 'sub' => $sub, 'user_id' => $row['id'], ]); } else { - // Registration is not allowed, fail + // No way to link to existing user and/or registration is not allowed, fail return null; } } diff --git a/template/config.tpl b/template/config.tpl index 54d7cd2..1eb4b6f 100644 --- a/template/config.tpl +++ b/template/config.tpl @@ -100,6 +100,13 @@ +
  • + WARNING: do not enable this setting if you do not control OID logins. Else, this would allows one to takeover control on local piwigo accounts (such as the default admin account). + It is useful in case of migration from LDAP accounts to OIDC SSO setup for example. +
    + + +