auth: Make full_name_validated attr of generic OIDC configurable.

This will be useful for deployments that want to just use the full name
provided by the IdP and thus skip the registration form. Also in
combination with disabling name changes in the organization, can force
users to just use that name without being able to change it.

zproject/backends.py

@@ -2277,6 +2277,8 @@ class GenericOpenIdConnectBackend(SocialAuthMixin, OpenIdConnectAuth):
     display_icon = settings_dict.get("display_icon")
     display_name = settings_dict.get("display_name", "OIDC")
 
+    full_name_validated = getattr(settings, "SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED", False)
+
     # Discovery endpoint for the superclass to read all the appropriate
     # configuration from.
     OIDC_ENDPOINT = settings_dict.get("oidc_url")

zproject/default_settings.py

@@ -99,6 +99,7 @@ SOCIAL_AUTH_APPLE_EMAIL_AS_USERNAME = True
 
 # Generic OpenID Connect:
 SOCIAL_AUTH_OIDC_ENABLED_IDPS: Dict[str, Dict[str, Optional[str]]] = {}
+SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = False
 
 # Other auth
 SSO_APPEND_DOMAIN: Optional[str] = None

zproject/prod_settings_template.py

@@ -369,6 +369,14 @@ SOCIAL_AUTH_OIDC_ENABLED_IDPS = {
     }
 }
 
+## Controls how Zulip uses the Full Name provided by the IdP at the
+## userinfo endpoint. By default, Zulip prefills that value but lets
+## the user modify it in the registration form. When enabled, Zulip
+## assumes the name is correct, and new users will not be presented
+## with a registration form unless they need to accept Terms of
+## Service (i.e. TERMS_OF_SERVICE=True).
+# SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = True
+
 ########
 ## SAML authentication
 ##

zproject/test_extra_settings.py

@@ -202,6 +202,7 @@ SOCIAL_AUTH_OIDC_ENABLED_IDPS = {
         "secret": "secret",
     }
 }
+SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = True
 
 
 VIDEO_ZOOM_CLIENT_ID = "client_id"