Page MenuHomePhabricator

When logged in through an external auth provider, user is invited to re-create his account
Closed, InvalidPublic

Description

Here's how to reproduce the problem :

  1. Configure an additional provider in Auth (e.g. LDAP)
  2. Create a new user account in People (e.g. John Doe)
  3. John receives an email, clicks the link, works in Phabricator, great !
  4. ...his session expires...
  5. John wants to log in, but is invited to create a new account

Administrative approvals are disabled and registration is not allowed, so basically only administrators create users in our instance.

Looking further in the database, the field phabricator_user.user_externalaccount.userPHID is empty for the John Doe account. I had to manually copy the value from phabricator_user.user.phid as a workaround.

phabricator fea2389066edf3ad0a7547ae12d8e988428a4f5c (Apr 2 2016) 
arcanist    f89f3de65805f7f65c8082ed387e8e2572596f7a (Mar 19 2016) 
phutil      d414e4436e1c8779634458c23ab8880cf613312f (Apr 2 2016)

Event Timeline

mrjoops created this task.May 12 2016, 12:06 PM
chad added a subscriber: chad.May 12 2016, 12:16 PM

Is the issue reproducible with an updated version of Phabricator?

I didn't see anything related in recent changelogs, so I didn't update out instance.
But if you could wait a couple of days, I could try to reproduce.

epriestley closed this task as Invalid.May 12 2016, 1:16 PM
epriestley added a subscriber: epriestley.

This is expected. This is a security feature, not a bug. Just because you have a Phabricator user account named joe does not mean you have authority over the LDAP user account named joe, and vice versa. In many cases LDAP and Phabricator user account names differ. Users must prove they have control over external accounts by linking them before they can use those external accounts to access Phabricator.

See T4279, T10452, T5953 for additional discussion.

OK for the security feature, but in my case LDAP is the only auth provider (username/password is disabled), so my users can't link their accounts.

They can link their accounts in SettingsExternal Accounts.

OK so they have to make it at step 3, before his first session expires, otherwise I'd have to update it directly in DB.