Merge branch 'master' of github.com:heviat/Mailu-OIDC

2025-10-30 17:47:54 +00:00 · 2025-04-04 18:17:54 +02:00
parent b886dfda41 edd5fd7082
commit 3c8c08af73
4 changed files with 8 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -91,6 +91,7 @@ properties are needed in `mailu.env`:
 | `OIDC_CHANGE_PASSWORD_REDIRECT_URL`     | Defaults to provider issuer url appended by `/.well-known/change-password`.                                         | [https://`host`/pw-change]() |
 | `OIDC_USERNAME_CLAIM`                   | 	The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., `sub`), the email address will be constructed as `<OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>`. Defaults to `email`. | `email` \| `sub`
 | `OIDC_USER_DOMAIN`                      | The domain used when constructing an email from a non-email username (e.g., when `OIDC_USERNAME_CLAIM=sub`). Ignored if `OIDC_USERNAME_CLAIM` is already an email. Defaults to the value of `DOMAIN`. | `example.com`
+| `OIDC_ENABLE_USER_CREATION`             | If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to `True`. | `True` \| `False` |

 Here is a snippet for easy copy paste:

@@ -103,8 +104,6 @@ Here is a snippet for easy copy paste:
 OIDC_ENABLED=True
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL=https://<host>:<port>/auth/realms/.well-known/openid-configuration
-# OpenID redirect URL if HOSTNAME not matching your login url
-OIDC_REDIRECT_URL=https://mail.example.com
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID=<CLIENT_ID>
 # OpenID Connect Client secret for Mailu
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -57,9 +57,9 @@ DEFAULT_CONFIG = {
    'OIDC_VERIFY_SSL': True,
    'OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED': True,
    'OIDC_CHANGE_PASSWORD_REDIRECT_URL': None,
-    'OIDC_REDIRECT_URL': None,
    'OIDC_USERNAME_CLAIM': 'email',
    'OIDC_USER_DOMAIN': None,
+    'OIDC_ENABLE_USER_CREATION': True,
    # Mail settings
    'DMARC_RUA': None,
    'DMARC_RUF': None,
--- a/core/admin/mailu/oidc.py
+++ b/core/admin/mailu/oidc.py
@@ -95,9 +95,7 @@ class OicClient:

        redirect_uri = flask.request.host_url + "sso/login"

-        if self.app.config["OIDC_REDIRECT_URL"]:
-            redirect_uri = self.app.config["OIDC_REDIRECT_URL"]
-        elif flask.request.host not in self.allowed_hostnames:
+        if flask.request.host not in self.allowed_hostnames:
            return None

        args = {
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -54,10 +54,14 @@ def login():
                return render_oidc_template(form, fields)
            
            if '@' not in username:
-                username = username + '@' + app.config.get('OIDC_USER_DOMAIN', app.config['DOMAIN'])
+                username = username + '@' + (app.config['OIDC_USER_DOMAIN'] or app.config['DOMAIN'])

            user = models.User.get(username)
            if user is None:
+                if not app.config['OIDC_ENABLE_USER_CREATION']:
+                    flask.flash('User %s does not exist' % username, 'error')
+                    return render_oidc_template(form, fields)
+
                user = models.User.create(username)

            flask.session.regenerate()