From 7693b0ad3976fdacd0d6fa8838f81490c9307291 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C5=91cze=20Bence?= Date: Mon, 31 Mar 2025 01:41:30 +0200 Subject: [PATCH 1/4] add option to control automatic user creation --- core/admin/mailu/configuration.py | 1 + core/admin/mailu/sso/views/base.py | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 66a097b2..015f50af 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -60,6 +60,7 @@ DEFAULT_CONFIG = { 'OIDC_REDIRECT_URL': None, 'OIDC_USERNAME_CLAIM': 'email', 'OIDC_USER_DOMAIN': None, + 'OIDC_ENABLE_USER_CREATION': True, # Mail settings 'DMARC_RUA': None, 'DMARC_RUF': None, diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index f8f7e986..50eb01ec 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -58,6 +58,10 @@ def login(): user = models.User.get(username) if user is None: + if not app.config['OIDC_ENABLE_USER_CREATION']: + flask.flash('User %s does not exist' % username, 'error') + return render_oidc_template(form, fields) + user = models.User.create(username) flask.session.regenerate() From c1ec64084ead1f5453ea04cbf1754f71ee2a0394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C5=91cze=20Bence?= Date: Mon, 31 Mar 2025 01:55:21 +0200 Subject: [PATCH 2/4] add new option to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 671a4443..0ea26a00 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,7 @@ properties are needed in `mailu.env`: | `OIDC_CHANGE_PASSWORD_REDIRECT_URL` | Defaults to provider issuer url appended by `/.well-known/change-password`. | [https://`host`/pw-change]() | | `OIDC_USERNAME_CLAIM` | The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., `sub`), the email address will be constructed as `@`. Defaults to `email`. | `email` \| `sub` | `OIDC_USER_DOMAIN` | The domain used when constructing an email from a non-email username (e.g., when `OIDC_USERNAME_CLAIM=sub`). Ignored if `OIDC_USERNAME_CLAIM` is already an email. Defaults to the value of `DOMAIN`. | `example.com` +| `OIDC_ENABLE_USER_CREATION` | If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to `True`. | `True` \| `False` | Here is a snippet for easy copy paste: From 7931d2f634d36391a72978314f97b8692dc30a35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C5=91cze=20Bence?= Date: Mon, 31 Mar 2025 02:00:32 +0200 Subject: [PATCH 3/4] correcly fallback to DOMAIN when OIDC_USER_DOMAIN is empty/none --- core/admin/mailu/sso/views/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index f8f7e986..f37e9cdb 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -54,7 +54,7 @@ def login(): return render_oidc_template(form, fields) if '@' not in username: - username = username + '@' + app.config.get('OIDC_USER_DOMAIN', app.config['DOMAIN']) + username = username + '@' + (app.config['OIDC_USER_DOMAIN'] or app.config['DOMAIN']) user = models.User.get(username) if user is None: From b43600dfca3f81c3f34996aadfeaa98c1d554424 Mon Sep 17 00:00:00 2001 From: Encotric Date: Fri, 4 Apr 2025 17:47:55 +0200 Subject: [PATCH 4/4] Remove OIDC_REDIRECT_URL --- README.md | 2 -- core/admin/mailu/configuration.py | 1 - core/admin/mailu/oidc.py | 4 +--- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/README.md b/README.md index 671a4443..77f7117a 100644 --- a/README.md +++ b/README.md @@ -103,8 +103,6 @@ Here is a snippet for easy copy paste: OIDC_ENABLED=True # OpenID Connect provider configuration URL OIDC_PROVIDER_INFO_URL=https://:/auth/realms/.well-known/openid-configuration -# OpenID redirect URL if HOSTNAME not matching your login url -OIDC_REDIRECT_URL=https://mail.example.com # OpenID Connect Client ID for Mailu OIDC_CLIENT_ID= # OpenID Connect Client secret for Mailu diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 66a097b2..639dad05 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -57,7 +57,6 @@ DEFAULT_CONFIG = { 'OIDC_VERIFY_SSL': True, 'OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED': True, 'OIDC_CHANGE_PASSWORD_REDIRECT_URL': None, - 'OIDC_REDIRECT_URL': None, 'OIDC_USERNAME_CLAIM': 'email', 'OIDC_USER_DOMAIN': None, # Mail settings diff --git a/core/admin/mailu/oidc.py b/core/admin/mailu/oidc.py index df3214c1..1fe53c96 100644 --- a/core/admin/mailu/oidc.py +++ b/core/admin/mailu/oidc.py @@ -95,9 +95,7 @@ class OicClient: redirect_uri = flask.request.host_url + "sso/login" - if self.app.config["OIDC_REDIRECT_URL"]: - redirect_uri = self.app.config["OIDC_REDIRECT_URL"] - elif flask.request.host not in self.allowed_hostnames: + if flask.request.host not in self.allowed_hostnames: return None args = {