Oidc: Prevent internal users from logging in when OIDC is enabled #782

internal/api/session.go

@@ -66,6 +66,13 @@ func CreateSession(router *gin.RouterGroup) {
 				return
 			}
 
+			oidcEnabled := conf.OidcIssuerUrl() != nil && conf.OidcClientId() != "" && conf.OidcClientSecret() != ""
+			if user.ID != entity.Admin.ID && oidcEnabled && !user.External() {
+				log.Warn("Internal users are disabled when using OpenID Connect")
+				c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
+				return
+			}
+
 			data.User = *user
 		} else {
 			c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidPassword)})

internal/commands/users.go

@@ -288,6 +288,10 @@ func usersUpdateAction(ctx *cli.Context) error {
 func callWithDependencies(ctx *cli.Context, f func(conf *config.Config) error) error {
 	conf := config.NewConfig(ctx)
 
+	if conf.OidcIssuerUrl() != nil && conf.OidcClientId() != "" && conf.OidcClientSecret() != "" {
+		log.Warn("Internal users are disabled when using OpenID Connect")
+	}
+
 	_, cancel := context.WithCancel(context.Background())
 	defer cancel()
 

internal/entity/user.go

@@ -292,6 +292,11 @@ func (m *User) Guest() bool {
 	return m.RoleGuest
 }
 
+// Guest returns true if the user is a guest.
+func (m *User) External() bool {
+	return m.ExternalID != ""
+}
+
 // SetPassword sets a new password stored as hash.
 func (m *User) SetPassword(password string) error {
 	if !m.Registered() {