Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Using SSO to sign up for an account bypasses some of the information that needs to be filled out #16256

Open
MomentQYC opened this issue Sep 5, 2023 · 4 comments
Labels
A-SSO Single Sign-On (maybe OIDC) O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@MomentQYC
Copy link
Contributor

Description

For example, assuming that the server is set up to require an email address to register in order to avoid spam as much as possible, when I use GitHub OAuth for authorization to sign up for an account, I can sign up for an account without filling in my email address.

Steps to reproduce

  • Set Synapse to have to verify email address to register
  • Setting up to allow third-party authorization registration, such as GitHub OAuth
  • Sign up for an account using GitHub OAuth without verifying your email address

Homeserver

Matrix.org can reproduce this situation

Synapse Version

Synapse 1.91.1

Installation Method

Debian packages from packages.matrix.org

Database

IDK

Workers

I don't know

Platform

Matrix.org

Configuration

IDK

Relevant log output

IDK

Anything else that would be useful to know?

No response

@clokep
Copy link
Member

clokep commented Sep 8, 2023

From discussion with others it seems that in this case you're depending on the SSO provider to handle anti-spam for you, i.e. this is done on purpose.

@clokep
Copy link
Member

clokep commented Sep 8, 2023

It does sound like some SSO providers include whether the email was verified though, so you could possibly use the attribute_requirements for the provider to ensure that it is validated before allowing the login.

@clokep clokep added the X-Needs-Info This issue is blocked awaiting information from the reporter label Sep 8, 2023
@MomentQYC
Copy link
Contributor Author

It does sound like some SSO providers include whether the email was verified though, so you could possibly use the attribute_requirements for the provider to ensure that it is validated before allowing the login.

There are some providers that will not provide email information, so for these people should you go through an additional email verification process?

@clokep
Copy link
Member

clokep commented Sep 11, 2023

so for these people should you go through an additional email verification process?

This would probably depend on what the operator of the server wanted -- whether they trust the provider to have enough spam protections in place to avoid spammy accounts or not.

It sounds like this isn't possible today though since you can't layer SSO and then email on-top.

@sandhose mentioned to me that this will be possible using the matrix-authentication-service though.

@clokep clokep added S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. O-Uncommon Most users are unlikely to come across this or unexpected workflow A-SSO Single Sign-On (maybe OIDC) and removed X-Needs-Info This issue is blocked awaiting information from the reporter labels Sep 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A-SSO Single Sign-On (maybe OIDC) O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Development

No branches or pull requests

2 participants