-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 auto-register #5123
OAuth2 auto-register #5123
Conversation
The function handleOAuth2SignIn was called twice but some code path could only be reached by one of the invocations. Moved the unnecessary code path out of handleOAuth2SignIn. Signed-off-by: Martin Michaelis <code@mgjm.de>
There was common code to create a user and display the correct error message. And after the creation the only user should be an admin and if enabled a confirmation email should be sent. This common code is now abstracted into two functions and a helper function to call both. Signed-off-by: Martin Michaelis <code@mgjm.de>
If enabled new OAuth2 users will be registered with their OAuth2 details. The UserID, Name and Email fields from the gothUser are used. Therefore the OpenID Connect provider needs additional scopes to return the coresponding claims. Signed-off-by: Martin Michaelis <code@mgjm.de>
Codecov Report
@@ Coverage Diff @@
## master #5123 +/- ##
==========================================
+ Coverage 42.21% 42.23% +0.01%
==========================================
Files 767 771 +4
Lines 81624 82064 +440
==========================================
+ Hits 34458 34657 +199
- Misses 41531 41756 +225
- Partials 5635 5651 +16
Continue to review full report at Codecov.
|
There are some related PRs that might already achieve this functionality. @coolaj86 would you be able to review? |
@techknowlogick I've looked over the files to understand the changes broadly, but I'd like to look more closely later this upcoming week and see if I can manually merge into my branch. @mgjm It looks like there's a lot of value here. You've covered some cases that I haven't covered in my PRs, but the implementation is different so it'll probably take some manual labor to merge them.
I don't think I handled OpenID the same as OAuth2, and it looks like you do, so that sticks out the most as something where we'll probably want pieces of both. |
@coolaj86 Oh, i have not seen your PRs. As far as I can see they have a different approach to new external users. In your version an external user still needs to enter a new username, email und real name. But in my version this information is fetched from the identity provider and therefore a local account can be created without additional user interaction. I think both approaches serve different needs and could (or should) exist at the same time. For example in my use case we have a central SSO identity provider and therefore login should be possible only using this provider (and the user profile can be trusted). But in other situations (e.g. login with GitHub account) a second step to enter a username, real name and so on is the desired option.
This is not really interesting. The user experience is in my version the same as it is currently for users with an already linked account. As soon as they come back from the OAuth2 provider they are logged in. In my version the same applies to users without an account. They get a new one created on the fly. So the end user will not notice a difference between their first login (with account creation) and a later login (when the account already exists). |
@lafriks The following settings would be possible:
IMHO only the first and the last option should be added. The first option ( I would not recommend the fallback options. You ether have a trusted provider where it is desired to actually fail if there is a username collision or you have an untrusted provider, but the the normal registration form with pre filled details is the better option. Especially if #5029 is merged and a password is no longer required. And the desicion whether to do auto registration (with hard failures) or pre fill the registration form would be based on |
@mgjm I agree fallback option is probably not the best one and can have undesired consequences. Now thinking hard fail seems way to go. |
Sounds good. Maybe it is the right time now to add a new settings section |
Yes |
Signed-off-by: Martin Michaelis <code@mgjm.de>
Signed-off-by: Martin Michaelis <code@mgjm.de>
@lafriks Edit: And there seems to be a problem with |
any news on this? |
It would be great if this gets merged in 1.8. Anything I can do to help? |
When the login name is not exist but the email is empty, `` is enabled, login will result in 500.
|
@lunny What is the expected behaviour if the login name does not exist and the email is empty? As far as I know an account cannot be created without an email, so an error is the appropriate reaction. The OAuth2 Provider should have provided the email. If your provider allows to select whether the email is provided, you should probable not use OAuth2 autologin as it is intended for trusted providers. |
@mgjm I think we could redirect to binding page and automatically fill some fields. |
@lunny This could be an alternative, but I think this would be out of the scope of this PR. See this comment. Once the But in some use cases it should be an actual error if the email is missing. The current implementation is planed to be used in environments where registration and local accounts are not wanted. (Login only via oauth2 provider), but can be extended in future PRs. |
@mgjm, it looks like we should set LoginName = Name in our case. I've made a patch already. |
@kvaster I think we should keep the |
@mgjm, seems you're right. The whole user model is not well suited for such authorization model. This is why it will be not possible to link against (for example) ldap account in case user account was created with oauth2. Currently user created with oauth2 will not have linked external account - that's why we should keep LoginName = userId for such accounts. |
I think that the best refactoring would be to make no difference between any authorization models. I.e. local login is also linked authorization. The only problem is how to match user during initial linking. But email or/and username/nickname may be used at this time. |
I suspect that @mgjm You can find some functions here https://github.com/go-gitea/gitea/blob/master/modules/migrations/update.go . Could you always create a linked account at this PR and I think I will send PRs to change other places? |
So this PR should create a new user by only setting This would result in the same state as if there was an existing local account (with an empty password field) and an external account has been linked. @lunny If that is the desired behaviour, this seems doable. |
@mgjm, I think that LoginName should be non empty... Probably we should set LoginName = Name... |
@kvaster I think we should just do the same as a regular sign-up via the sign-up form. And that leaves those fields empty (not set). |
Forcing every external user has a link account could be another PR because it will change a lot. I think the only thing should be done in this PR is to improve the documents mentioned #5123 (comment) |
@mgjm, sent you PR with updated descriptions :) |
Changes
6e2ece4)
Settings
A new settings section (
oauth2_client
) is added and documented incustom/conf/app.ini.sample
andcontent/doc/advanced/config-cheat-sheet.en-us.md
.Breaking changes?
No. The default settings reflect the current behaviour. And OAuth2 auto-register needs to be manually enabled.
Referenced Issues
Implements #3520 und solves the secondary consideration in #1036.