ProximApp · vdanjean · Dec 28, 2025 · Dec 28, 2025
diff --git a/admin.php b/admin.php
@@ -91,6 +91,7 @@
 		'verify_peer' => isset($_POST['verify_peer']), 
 		'authparam' => $_POST['authparam'], 
 		'register_new_users' => isset($_POST['register_new_users']), 
+		'link_to_existing_users' => isset($_POST['link_to_existing_users']),
 		'redirect_new_to_profile' => isset($_POST['redirect_new_to_profile']), 
 		'notify_admins_on_register' => isset($_POST['notify_admins_on_register']),
 		'notify_user_on_register' => isset($_POST['notify_user_on_register']), 

diff --git a/conf.php b/conf.php
@@ -30,6 +30,7 @@
     // 'verify_peer' => false,
     // 'authparam' => '',
     // 'register_new_users' => false,
+    // 'link_to_existing_users' => false,
     // 'redirect_new_to_profile' => false,
     // 'notify_admins_on_register' => false,
     // 'notify_user_on_register' => false,

diff --git a/maintain.class.php b/maintain.class.php
@@ -34,6 +34,7 @@ class OpenIdConnect_maintain extends PluginMaintain
 		'verify_peer' => true,
 		'authparam' => '',
 		'register_new_users' => true,
+		'link_to_existing_users' => false,
 		'redirect_new_to_profile' => false,
 		'notify_admins_on_register' => false,
 		'notify_user_on_register' => false,

diff --git a/oidc.php b/oidc.php
@@ -125,16 +125,33 @@ function oidc_retrieve(OpenIDConnectClient $oidc, $force_registration = false) {
 
 	// If the user is not found, try to register
 	if (empty($row['id'])) {
-		if ($config['register_new_users'] || $force_registration) {
-			// Registration is allowed, overwrite $row
+		$id = false;
+		if ($config['link_to_existing_users']) {
+			// Trying to find a already existing account with same login
+			$id = get_userid($name);
+		}
+		if (!$id && ($config['register_new_users'] || $force_registration)) {
+			// Registration is allowed, trying to register
 			$errors = [];
-			$row['id'] = register_user($name, random_pass(), $email, $config['notify_admins_on_register'], $errors, $config['notify_user_on_register']);
+			$id = register_user($name, random_pass(), $email, $config['notify_admins_on_register'], $errors, $config['notify_user_on_register']);
+			if (!empty($errors) or !$id) {
+				if (!isset($_SESSION['page_errors'])) {
+					$_SESSION['page_errors'] = [];
+				}
+				$_SESSION['page_errors'] += $errors;
+				trigger_error("A problem occurred during OIDC user '".$name."' registration. Local user already existing?");
+				return null;
+			}
+		}
+		if ($id) {
+			// User account found (existing or just created), overwrite $row
+			$row['id'] = $id;
 			single_insert(OIDC_TABLE, [
 				'sub' => $sub,
 				'user_id' => $row['id'],
 			]);
 		} else {
-			// Registration is not allowed, fail
+			// No way to link to existing user and/or registration is not allowed, fail
 			return null;
 		}
 	}

diff --git a/template/config.tpl b/template/config.tpl
@@ -100,6 +100,13 @@
 			<input type="checkbox" name="register_new_users" id="register_new_users" {if $register_new_users}checked="checked"{/if}>
 			<label for="register_new_users">{'Register new Piwigo users on succesful OpenID Connect authentication'|translate}</label>
 		</li>
+		<li>
+			<i style="display:inline-block;max-width:30rem">WARNING: do not enable this setting if you do not control OID logins. Else, this would allows one to takeover control on local piwigo accounts (such as the default admin account).
+			It is useful in case of migration from LDAP accounts to OIDC SSO setup for example.</i>
+			<br/>
+			<input type="checkbox" name="link_to_existing_users" id="link_to_existing_users" {if $link_to_existing_users}checked="checked"{/if}>
+			<label for="link_to_existing_users">{'If a user with same login already exists, link OpenID account to it'|translate}</label>
+		</li>
 		<li>
 			<input type="checkbox" name="redirect_new_to_profile" id="redirect_new_to_profile" {if $redirect_new_to_profile}checked="checked"{/if}>
 			<label for="redirect_new_to_profile">{'Redirect new users to profile page'|translate}</label>