Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
When users are auto generated due to "Override registration settings", passwords seem to be created via user_password() with the default length (10 characters).
Proposed resolution
Do not set a password at all, as OIDC users are not supposed to have one.
Comment | File | Size | Author |
---|---|---|---|
#8 | openid-connect-remove-password-3214539-8.patch | 709 bytes | Hebl |
Screenshot from 2021-05-18 14-09-32.png | 54.05 KB | msno |
Comments
Comment #2
msno CreditAttribution: msno commentedComment #3
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedHi @msno. Welcome to Drupal.
Thanks for the report. This user_password() call has been present in the code for quite a long time, and nobody had noticed that issue until now.
The solution is actually to not set a password at all. Having a NULL password disables the ability of the user to use a password. Setting a larger password doesn't really solve the problem, only makes it harder to guess what the generated password is.
Comment #5
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedComment #6
msno CreditAttribution: msno commentedI couldn't agree more - also found out that password could be omitted when creating a user programmatically and, hence, manual login is not possible.
Thanks for the quick reaction!
Comment #8
Hebl CreditAttribution: Hebl at manifesto commentedI've added a patch which removes the password addition line for those who want to use the 8.x-1.3 version.
Comment #9
agn507 CreditAttribution: agn507 commentedHaving trouble getting this patch to apply against 1.3. Any chance this can get rolled into 1.x without the patch?
Comment #10
sanduhrsThis has been committed in #4, no need to patch.
Comment #12
sanduhrsHas been committed to 8.x-1.x, will be in the next release.
Comment #13
Harlor CreditAttribution: Harlor at erdfisch commentedOh this issue causes a Fatal on Drupal 10 :S
user_password() does not exist in Drupal 10 anymore.
I'm really surprised, that upgrade status did not report this.
The reasons seems to be that the function was found in UserPasswordFixture.php
Comment #14
sanduhrsRemoving the usage of user_password() causes a fatal?
Comment #15
Hebl CreditAttribution: Hebl at manifesto commentedHey @sanduhrs,
Thanks a lot for adding the fix into 8.x-1.x, much appreciated.
Removing the user_password() does not cause a fatal (for me anyway). Having it left in on Drupal 10 however did cause the fatal error.
Thanks again!
Comment #16
Harlor CreditAttribution: Harlor at erdfisch commentedThat's what I meant.