Skip to content

Auto-Provisioning in email mode doesn't set email, which makes auto-provisioned accounts be created each login #335

New issue
New issue
Closed as duplicate of#328
#333
Closed as duplicate of#328
Auto-Provisioning in email mode doesn't set email, which makes auto-provisioned accounts be created each login#335
#333
@Kruemmelspalter

Description

@Kruemmelspalter
Kruemmelspalter
opened on Jul 3, 2025

The AutoProvisioningService currently doesn't set the email address in email mode (<=> identifying users by their email); neither when updating user info nor when creating users. The former is intended, the latter breaks auto-provisioning in email mode:

  1. A user that doesn't exist in OwnCloud yet logs in via OIDC
  2. The app checks if there is an account with the user's email address, which there isn't
  3. Because of this, the app auto-provisions the user, creating an account, setting the username etc. but not setting the email address (because the app is in email mode)
  4. Now when the user logs in again, they still aren't identified by their email address, and another account gets created.
    Especially in email mode, it is very important that a user's email gets set when the user is created (and should also be changed if it changes in the IdP, which it can't do, because by then it isn't identified as the same user anymore)

lib/Service/AutoProvisioningService.php (L166-179):

public function updateAccountInfo(IUser $user, $userInfo, bool $force = false): void {
	[167...169]
	# email is only changed in case the mode is not `email`
	if ($this->client->mode() !== 'email') {
		if ($force || $user->canChangeMailAddress()) {
			$currentEmail = $this->client->getUserEmail($userInfo);
			if ($currentEmail && $currentEmail !== $user->getEMailAddress()) {
				$this->logger->debug('AutoProvisioningService: setting e-mail to ' . $currentEmail);
				$user->setEMailAddress($currentEmail);
			}
		}
	}

where $force is true if and only if the method is called from AutoProvisioningService::createUser (L99...)

The check in L171 should have a $force || in front of it, so that it sets the email on user creation.

The check could be removed entirely, because there is no scenario in which the email (or rather the $search-attribute, defaulting to email) (which is the identifying property) changes, but the user is still identified as the same user.

I can probably get a PR done in a few days if you want me to.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions