element-hq
diff --git a/‎crates/cli/src/sync.rs
+1 b/‎crates/cli/src/sync.rs
+1
diff --git a/‎crates/config/src/sections/upstream_oauth2.rs
+7 b/‎crates/config/src/sections/upstream_oauth2.rs
+7
diff --git a/‎crates/data-model/src/upstream_oauth2/provider.rs
+1 b/‎crates/data-model/src/upstream_oauth2/provider.rs
+1
diff --git a/‎crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs
+1 b/‎crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs
+1
diff --git a/‎crates/handlers/src/upstream_oauth2/cache.rs
+1 b/‎crates/handlers/src/upstream_oauth2/cache.rs
+1
diff --git a/‎crates/handlers/src/upstream_oauth2/link.rs
+23-8 b/‎crates/handlers/src/upstream_oauth2/link.rs
+23-8
diff --git a/‎crates/handlers/src/views/login.rs
+2 b/‎crates/handlers/src/views/login.rs
+2
diff --git a/‎crates/storage-pg/.sqlx/query-1d758df58ccfead4cb39ee8f88f60b382b7881e9c4ead31ff257ff5ff4414b6e.json ‎crates/storage-pg/.sqlx/query-0ffcf354f8b7f00691812d4b8d86999d97ebe799d87737b4dfec1585edc0d0f9.json
+8-2 b/‎crates/storage-pg/.sqlx/query-1d758df58ccfead4cb39ee8f88f60b382b7881e9c4ead31ff257ff5ff4414b6e.json ‎crates/storage-pg/.sqlx/query-0ffcf354f8b7f00691812d4b8d86999d97ebe799d87737b4dfec1585edc0d0f9.json
+8-2
diff --git a/‎crates/storage-pg/.sqlx/query-e25af41189846e26da99e5d8a1462eab5efe330f60ef8c6c813c747424ba7ec9.json ‎crates/storage-pg/.sqlx/query-6e14a326d9c75e0ee0cb7d450badbd180cbb1f74749d4859e2fad5c48a1ef2bd.json
+3-2 b/‎crates/storage-pg/.sqlx/query-e25af41189846e26da99e5d8a1462eab5efe330f60ef8c6c813c747424ba7ec9.json ‎crates/storage-pg/.sqlx/query-6e14a326d9c75e0ee0cb7d450badbd180cbb1f74749d4859e2fad5c48a1ef2bd.json
+3-2
diff --git a/‎crates/storage-pg/.sqlx/query-72de26d5e3c56f4b0658685a95b45b647bb6637e55b662a5a548aa3308c62a8a.json
-44 b/‎crates/storage-pg/.sqlx/query-72de26d5e3c56f4b0658685a95b45b647bb6637e55b662a5a548aa3308c62a8a.json
-44
diff --git a/‎crates/storage-pg/.sqlx/query-922eba626e453a12eb58ba460465de12d3f72073844306210b3aeaf3247db06c.json
+45 b/‎crates/storage-pg/.sqlx/query-922eba626e453a12eb58ba460465de12d3f72073844306210b3aeaf3247db06c.json
+45
@@ -292,6 +292,7 @@ pub async fn config_sync(
                         fetch_userinfo: provider.fetch_userinfo,
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
+                        allow_existing_users: provider.allow_existing_users,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()
 
@@ -535,6 +535,13 @@ pub struct Provider {
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]
     pub claims_imports: ClaimsImports,
 
+    /// Whether to allow a user logging in via OIDC to match a pre-existing
+    /// account instead of failing. This could be used if switching from
+    /// password logins to OIDC.
+    //Defaults to false.
+    #[serde(default)]
+    pub allow_existing_users: bool,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.
 
@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
+    pub allow_existing_users: bool,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 
 
@@ -42,6 +42,7 @@ mod test_utils {
             token_endpoint_override: None,
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
+            allow_existing_users: true,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }
 
@@ -422,6 +422,7 @@ mod tests {
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
+            allow_existing_users: false,
             additional_authorization_parameters: Vec::new(),
         };
 
 
@@ -440,7 +440,9 @@ pub(crate) async fn get(
                             .await
                             .map_err(RouteError::HomeserverConnection)?;
 
-                        if maybe_existing_user.is_some() || !is_available {
+                        if !provider.allow_existing_users
+                            && (maybe_existing_user.is_some() || !is_available)
+                        {
                             if let Some(existing_user) = maybe_existing_user {
                                 // The mapper returned a username which already exists, but isn't
                                 // linked to this upstream user.
@@ -717,15 +719,16 @@ pub(crate) async fn post(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Required,
                     );
-                } else if repo.user().exists(&username).await? {
+                } else if !provider.allow_existing_users && repo.user().exists(&username).await? {
                     form_state.add_error_on_field(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Exists,
                     );
-                } else if !homeserver
-                    .is_localpart_available(&username)
-                    .await
-                    .map_err(RouteError::HomeserverConnection)?
+                } else if !provider.allow_existing_users
+                    && !homeserver
+                        .is_localpart_available(&username)
+                        .await
+                        .map_err(RouteError::HomeserverConnection)?
                 {
                     // The user already exists on the homeserver
                     tracing::warn!(
@@ -805,8 +808,19 @@ pub(crate) async fn post(
                     .into_response());
             }
 
-            // Now we can create the user
-            let user = repo.user().add(&mut rng, &clock, username).await?;
+            let user = if provider.allow_existing_users {
+                // If the provider allows existing users, we can use the existing user
+                let existing_user = repo.user().find_by_username(&username).await?;
+                if existing_user.is_some() {
+                    existing_user.unwrap()
+                } else {
+                    // This case should not happen
+                    repo.user().add(&mut rng, &clock, username).await?
+                }
+            } else {
+                // Now we can create the user
+                repo.user().add(&mut rng, &clock, username).await?
+            };
 
             if let Some(terms_url) = &site_config.tos_uri {
                 repo.user_terms()
@@ -948,6 +962,7 @@ mod tests {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
 
@@ -452,6 +452,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -493,6 +494,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },
Original file line number	Diff line number	Diff line change
`@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {`
`240`	`240`	`pub created_at: DateTime<Utc>,`
`241`	`241`	`pub disabled_at: Option<DateTime<Utc>>,`
`242`	`242`	`pub claims_imports: ClaimsImports,`
	`243`	`+ pub allow_existing_users: bool,`
`243`	`244`	`pub additional_authorization_parameters: Vec<(String, String)>,`
`244`	`245`	`}`
`245`	`246`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ mod test_utils {`
`42`	`42`	`token_endpoint_override: None,`
`43`	`43`	`userinfo_endpoint_override: None,`
`44`	`44`	`jwks_uri_override: None,`
	`45`	`+ allow_existing_users: true,`
`45`	`46`	`additional_authorization_parameters: Vec::new(),`
`46`	`47`	`ui_order: 0,`
`47`	`48`	`}`