From 47a4a9193f396c61d0b50e2a339595a80e9036d6 Mon Sep 17 00:00:00 2001 From: Mateusz Mandera Date: Sun, 23 May 2021 12:00:20 +0200 Subject: [PATCH] auth: Make full_name_validated attr of generic OIDC configurable. This will be useful for deployments that want to just use the full name provided by the IdP and thus skip the registration form. Also in combination with disabling name changes in the organization, can force users to just use that name without being able to change it. --- zproject/backends.py | 2 ++ zproject/default_settings.py | 1 + zproject/prod_settings_template.py | 8 ++++++++ zproject/test_extra_settings.py | 1 + 4 files changed, 12 insertions(+) diff --git a/zproject/backends.py b/zproject/backends.py index 55d21b9edd..001e1663e0 100644 --- a/zproject/backends.py +++ b/zproject/backends.py @@ -2277,6 +2277,8 @@ class GenericOpenIdConnectBackend(SocialAuthMixin, OpenIdConnectAuth): display_icon = settings_dict.get("display_icon") display_name = settings_dict.get("display_name", "OIDC") + full_name_validated = getattr(settings, "SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED", False) + # Discovery endpoint for the superclass to read all the appropriate # configuration from. OIDC_ENDPOINT = settings_dict.get("oidc_url") diff --git a/zproject/default_settings.py b/zproject/default_settings.py index 6b55d76ceb..80975db7b0 100644 --- a/zproject/default_settings.py +++ b/zproject/default_settings.py @@ -99,6 +99,7 @@ SOCIAL_AUTH_APPLE_EMAIL_AS_USERNAME = True # Generic OpenID Connect: SOCIAL_AUTH_OIDC_ENABLED_IDPS: Dict[str, Dict[str, Optional[str]]] = {} +SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = False # Other auth SSO_APPEND_DOMAIN: Optional[str] = None diff --git a/zproject/prod_settings_template.py b/zproject/prod_settings_template.py index 853ca4089b..e9e527119e 100644 --- a/zproject/prod_settings_template.py +++ b/zproject/prod_settings_template.py @@ -369,6 +369,14 @@ SOCIAL_AUTH_OIDC_ENABLED_IDPS = { } } +## Controls how Zulip uses the Full Name provided by the IdP at the +## userinfo endpoint. By default, Zulip prefills that value but lets +## the user modify it in the registration form. When enabled, Zulip +## assumes the name is correct, and new users will not be presented +## with a registration form unless they need to accept Terms of +## Service (i.e. TERMS_OF_SERVICE=True). +# SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = True + ######## ## SAML authentication ## diff --git a/zproject/test_extra_settings.py b/zproject/test_extra_settings.py index a793ce18c0..b3559a3405 100644 --- a/zproject/test_extra_settings.py +++ b/zproject/test_extra_settings.py @@ -202,6 +202,7 @@ SOCIAL_AUTH_OIDC_ENABLED_IDPS = { "secret": "secret", } } +SOCIAL_AUTH_OIDC_FULL_NAME_VALIDATED = True VIDEO_ZOOM_CLIENT_ID = "client_id"