Best way to programmatically create OIDC SSO customers on the pretix side?

[stapelberg]

We have a web application in which interested users can sign up, and as a side effect the user will also get an account in pretix.

Currently, we are accomplishing this by using the customer pretix API to create accounts with the same password, but I want to switch this setup to use the now-available OIDC based SSO for customers.

I have an implementation of an OIDC provider ready, but now I’m facing an interesting detail question: how can I make my web application ensure a customer account exists on the pretix side and obtain its id? I need to store the customer ID because the web app is making orders on the customer’s behalf.

When using the customer API, the ID will be auto-assigned and won’t match what the SSO implementation expects:

pretix/src/pretix/presale/views/customer.py

Lines 722 to 728 in 5c7858c

	identifier = hashlib.sha256(
	profile['uid'].encode() + b'@' + str(self.provider.pk).encode()
	).hexdigest().upper()[:settings.ENTROPY['customer_identifier']]
	if "1" not in identifier and "0" not in identifier:
	# This is a hack to make sure the hash space does not overlap with the random identifiers generated by
	# Customer.assign_identifier()
	identifier = identifier[:4] + "1" + identifier[4:-1]

I could generate matching IDs, but via the customer API I still can’t set the provider_id field. It would probably be a quick patch to make it work, but I’m not sure if you’d consider merging it?

The other alternative I can think of is to trigger a login, but I’m not sure what the best API for that would be. Making HTTP requests to pretix’s user interface and parsing HTML for CSRF tokens doesn’t seem like an elegant or stable solution, but I’m not aware of a programmatic way to log into pretix.

Am I missing something? What do you think would be the best solution for this problem? Thanks in advance

[raphaelm]

I think you are not missing something. So far, this was not a problem we intended to solve.

With most OIDC integrations, accounts are created on first login, which has the lowest error potential, and for almost all use cases this works very well. You can even set memberships etc. through the API right during/after first login.

Why do you need to create the pretix customer before they first log in? For API order creation?

[stapelberg]

Why do you need to create the pretix customer before they first log in? For API order creation?

Exactly. When one of our admins accepts a membership request, we order (on behalf of the user) the membership fees for the first year. Then, we directly email the payment URL of that order to the user.

It occurs to me now that one way to integrate the shop login into the signup flow is to have the user’s browser do the login (fully automatically as the user is already signed in to the custom frontend), but then redirecting not to a pretix page, but back to our custom frontend which proceeds with the membership fees order.

I’ll try and see if I can make that work.