From b20ad8a6228bbff85c7fdef20ec62ac6ffc84223 Mon Sep 17 00:00:00 2001 From: Jason Volk Date: Wed, 4 Mar 2026 09:01:58 +0000 Subject: [PATCH] Add config to inhibit account registration for SSO provider. Add config option to inhibit random fallback ID's for SSO registration. Signed-off-by: Jason Volk --- src/api/client/session/sso.rs | 12 ++++++++++++ src/core/config/mod.rs | 31 +++++++++++++++++++++++++++++++ tuwunel-example.toml | 27 +++++++++++++++++++++++++++ 3 files changed, 70 insertions(+) diff --git a/src/api/client/session/sso.rs b/src/api/client/session/sso.rs index 8a825682..8021fde2 100644 --- a/src/api/client/session/sso.rs +++ b/src/api/client/session/sso.rs @@ -396,6 +396,10 @@ pub(crate) async fn sso_callback_route( // Attempt to register a non-existing user. if !services.users.exists(&user_id).await { + if !provider.registration { + return Err!(Request(Forbidden("Registration from this provider is disabled"))); + } + register_user(&services, &provider, &session, &userinfo, &user_id).await?; } @@ -697,6 +701,14 @@ async fn try_user_id( debug_warn!(?username, "Username exists."); return None; } + } else if unique_id && !provider.unique_id_fallbacks { + debug_warn!( + ?username, + provider = ?provider.brand, + "Unique ID fallbacks disabled.", + ); + + return None; } Some(user_id) diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs index 5b3504df..fd94ae7b 100644 --- a/src/core/config/mod.rs +++ b/src/core/config/mod.rs @@ -2760,6 +2760,37 @@ pub struct IdentityProvider { #[serde(default)] pub trusted: bool, + /// Setting this option to false will inhibit unique ID's from being + /// generated as a last-resort when determining a UserId from a provider's + /// claims. In the case of untrusted providers, when all provided claims + /// conflict with existing user accounts, a unique fallback ID needs + /// to be generated for registration to not be denied with an error. + /// + /// Set this option to false if you operate a private server or a trusted + /// identity provider where random UserId's are undesirable; the result of a + /// misconfiguration or other issue where an error is warranted. + /// + /// This option should be set to true for public servers or some users may + /// never be able to register. + /// + /// default: true + #[serde(default = "true_fn")] + pub unique_id_fallbacks: bool, + + /// Controls whether new user registration is possible from this provider. + /// When this option is set to false, authorizations from this provider + /// only affect existing users and will never result in a new registration + /// when the claims fail to match any existing user (in the case of trusted + /// providers) or an available username is found (in the case of untrusted + /// providers). + /// + /// Setting this option to false is generally not useful unless there is + /// an explicit reason to do so. + /// + /// default: true + #[serde(default = "true_fn")] + pub registration: bool, + /// Optional extra path components after the issuer_url leading to the /// location of the `.well-known` directory used for discovery. If the path /// starts with a slash it will be treated as absolute, meaning overwriting diff --git a/tuwunel-example.toml b/tuwunel-example.toml index 79031c2b..10651f84 100644 --- a/tuwunel-example.toml +++ b/tuwunel-example.toml @@ -2360,6 +2360,33 @@ # #trusted = false +# Setting this option to false will inhibit unique ID's from being +# generated as a last-resort when determining a UserId from a provider's +# claims. In the case of untrusted providers, when all provided claims +# conflict with existing user accounts, a unique fallback ID needs +# to be generated for registration to not be denied with an error. +# +# Set this option to false if you operate a private server or a trusted +# identity provider where random UserId's are undesirable; the result of a +# misconfiguration or other issue where an error is warranted. +# +# This option should be set to true for public servers or some users may +# never be able to register. +# +#unique_id_fallbacks = true + +# Controls whether new user registration is possible from this provider. +# When this option is set to false, authorizations from this provider +# only affect existing users and will never result in a new registration +# when the claims fail to match any existing user (in the case of trusted +# providers) or an available username is found (in the case of untrusted +# providers). +# +# Setting this option to false is generally not useful unless there is +# an explicit reason to do so. +# +#registration = true + # Optional extra path components after the issuer_url leading to the # location of the `.well-known` directory used for discovery. If the path # starts with a slash it will be treated as absolute, meaning overwriting