Merge branch 'master' of github.com:heviat/Mailu-OIDC

README.md

@@ -91,6 +91,7 @@ properties are needed in `mailu.env`:
 | `OIDC_CHANGE_PASSWORD_REDIRECT_URL`     | Defaults to provider issuer url appended by `/.well-known/change-password`.                                         | [https://`host`/pw-change]() |
 | `OIDC_USERNAME_CLAIM`                   | 	The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., `sub`), the email address will be constructed as `<OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>`. Defaults to `email`. | `email` \| `sub`
 | `OIDC_USER_DOMAIN`                      | The domain used when constructing an email from a non-email username (e.g., when `OIDC_USERNAME_CLAIM=sub`). Ignored if `OIDC_USERNAME_CLAIM` is already an email. Defaults to the value of `DOMAIN`. | `example.com`
+| `OIDC_ENABLE_USER_CREATION`             | If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to `True`. | `True` \| `False` |
 
 Here is a snippet for easy copy paste:
 
@@ -103,8 +104,6 @@ Here is a snippet for easy copy paste:
 OIDC_ENABLED=True
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL=https://<host>:<port>/auth/realms/.well-known/openid-configuration
-# OpenID redirect URL if HOSTNAME not matching your login url
-OIDC_REDIRECT_URL=https://mail.example.com
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID=<CLIENT_ID>
 # OpenID Connect Client secret for Mailu

core/admin/mailu/configuration.py

@@ -57,9 +57,9 @@ DEFAULT_CONFIG = {
     'OIDC_VERIFY_SSL': True,
     'OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED': True,
     'OIDC_CHANGE_PASSWORD_REDIRECT_URL': None,
-    'OIDC_REDIRECT_URL': None,
     'OIDC_USERNAME_CLAIM': 'email',
     'OIDC_USER_DOMAIN': None,
+    'OIDC_ENABLE_USER_CREATION': True,
     # Mail settings
     'DMARC_RUA': None,
     'DMARC_RUF': None,

core/admin/mailu/oidc.py

@@ -95,9 +95,7 @@ class OicClient:
 
         redirect_uri = flask.request.host_url + "sso/login"
 
-        if self.app.config["OIDC_REDIRECT_URL"]:
+        if flask.request.host not in self.allowed_hostnames:
-            redirect_uri = self.app.config["OIDC_REDIRECT_URL"]
-        elif flask.request.host not in self.allowed_hostnames:
             return None
 
         args = {

core/admin/mailu/sso/views/base.py

@@ -54,10 +54,14 @@ def login():
                 return render_oidc_template(form, fields)
             
             if '@' not in username:
-                username = username + '@' + app.config.get('OIDC_USER_DOMAIN', app.config['DOMAIN'])
+                username = username + '@' + (app.config['OIDC_USER_DOMAIN'] or app.config['DOMAIN'])
 
             user = models.User.get(username)
             if user is None:
+                if not app.config['OIDC_ENABLE_USER_CREATION']:
+                    flask.flash('User %s does not exist' % username, 'error')
+                    return render_oidc_template(form, fields)
+
                 user = models.User.create(username)
 
             flask.session.regenerate()