Issue #3250979 by sanduhrs, jcnventura: Add note on possible implications when... (4f02c4e7) · Commits · project / openid_connect

openid_connect.install

+22 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,8 @@
		* Install, update and uninstall functions for the OpenID Connect module.
		*/

		use \Drupal\Core\Url;

		/**
		* Implements hook_schema().
		*/
		@@ -55,6 +57,26 @@ function openid_connect_schema() {
		return $schema;
		}

		/**
		* Implements hook_requirements().
		*/
		function openid_connect_requirements($phase) {
		$requirements = [];
		if ($phase == 'runtime') {
		if (\Drupal::config('openid_connect.settings')->get('connect_existing_users')) {
		$requirements['openid_connect_connect_existing_users'] = [
		'title' => t('OpenID Connect'),
		'value' => t('Automatically connect existing users enabled'),
		'description' => t('The "Automatically connect existing users" option is enabled. This can lead to security vulnerabilities. It is <strong>highly recommended</strong> to <a href=":url">disable this option</a>.',
		[':url' => Url::fromRoute('openid_connect.admin_settings', [], ['fragment' => 'edit-connect-existing-users'])->toString()]
		),
		'severity' => REQUIREMENT_WARNING,
		];
		}
		}
		return $requirements;
		}

		/**
		* Add default config for Facebook and LinkedIn provider.
		*/

src/Form/OpenIDConnectSettingsForm.php

+16 −8

Original line number	Diff line number	Diff line
		@@ -172,13 +172,6 @@ class OpenIDConnectSettingsForm extends ConfigFormBase implements ContainerInjec
		'#default_value' => $settings->get('always_save_userinfo'),
		];

		$form['connect_existing_users'] = [
		'#type' => 'checkbox',
		'#title' => $this->t('Automatically connect existing users'),
		'#description' => $this->t('If disabled, authentication will fail for existing email addresses.'),
		'#default_value' => $settings->get('connect_existing_users'),
		];

		$form['user_login_display'] = [
		'#type' => 'radios',
		'#title' => $this->t('OpenID buttons display in user login form'),
		@@ -229,6 +222,18 @@ class OpenIDConnectSettingsForm extends ConfigFormBase implements ContainerInjec
		];
		}

		$form['advanced'] = [
		'#title' => $this->t('Advanced'),
		'#type' => 'details',
		'#open' => $settings->get('connect_existing_users') ? TRUE : FALSE,
		];
		$form['advanced']['connect_existing_users'] = [
		'#type' => 'checkbox',
		'#title' => $this->t('Automatically connect existing users'),
		'#description' => $this->t('<strong><em>Please note:</em> This option has security implications, only use with trusted OpenID Connect providers.</strong><br />If disabled, authentication will fail for accounts with existing email addresses, users may connect existing accounts on their personal Connected Accounts page in a secure way.'),
		'#default_value' => $settings->get('connect_existing_users'),
		];

		return parent::buildForm($form, $form_state);
		}

		@@ -267,7 +272,10 @@ class OpenIDConnectSettingsForm extends ConfigFormBase implements ContainerInjec

		$this->config('openid_connect.settings')
		->set('always_save_userinfo', $form_state->getValue('always_save_userinfo'))
		->set('connect_existing_users', $form_state->getValue('connect_existing_users'))
		->set('connect_existing_users', $form_state->getValue([
		'advanced',
		'connect_existing_users',
		]))
		->set('override_registration_settings', $form_state->getValue('override_registration_settings'))
		->set('userinfo_mappings', array_filter($form_state->getValue('userinfo_mappings')))
		->set('user_login_display', $form_state->getValue('user_login_display'))