Disabled user should not be allowed to login (and create a new duplicated user)

[qbey]

Bug Report

Problematic behavior
If a user is marked as is_active=False and login again, it will create another user with the same sub. The same behavior applies for the email fallback behavior.

Expected behavior/code
When a user is marked as is_active=False and logs in, we should get the User object even if "disabled" then after, check the is_active to allow login or not.

def get_or_create_user(self, access_token, id_token, payload):
    # ...

    # if sub is absent, try matching on email
        user = self.get_existing_user(sub, email)

        if not user.is_active:
            raise SuspiciousOperation(_("User %s is disabled" % sub))

    # ...


def get_existing_user(self, sub, email):
         """Fetch existing user by sub or email."""
         try:
             return User.objects.get(sub=sub)
        except User.DoesNotExist:
             if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                 try:
                     return User.objects.get(email=email)
                 except User.DoesNotExist:
                     pass
         return None

Steps to Reproduce

1. Login with an active user
2. Disable the user in admin (is_active=False)
3. Login again with the user
4. You are logged in with a new user (with a duplicated sub)

Environment

• People version: N/A
• Platform: N/A

Possible Solution
N/A

Additional context/Screenshots
N/A