OAuth2 auto-register #5123
Labels
No Label
backport/done
backport/v1.0
backport/v1.1
backport/v1.10
backport/v1.11
backport/v1.12
backport/v1.13
backport/v1.14
backport/v1.15
backport/v1.2
backport/v1.3
backport/v1.4
backport/v1.5
backport/v1.6
backport/v1.7
backport/v1.8
backport/v1.9
bounty
changelog
dependencies
frontport/done
frontport/main
good first issue
Hacktoberfest
hacktoberfest-accepted
in progress
kind/api
kind/breaking
kind/bug
kind/build
kind/deployment
kind/deprecated
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/misc
kind/moderation
kind/package
kind/proposal
kind/question
kind/refactor
kind/regression
kind/security
kind/summary
kind/testing
kind/translation
kind/ui
kind/upstream-related
kind/usability
kind/ux
lgtm/done
lgtm/need 1
lgtm/need 2
performance/bigrepo
performance/cpu
performance/memory
performance/speed
priority/critical
priority/low
priority/maybe
priority/medium
proposal/rejected
reviewed/confirmed
reviewed/duplicate
reviewed/fixed
reviewed/invalid
reviewed/not-a-bug
reviewed/wontfix
skip-changelog
stale
status/blocked
status/needs-feedback
status/wip
theme/2fa
theme/authentication
theme/avatar
theme/backup-restore
theme/docker
theme/federation
theme/issues
theme/kanban
theme/markdown
theme/migration
theme/mobile
theme/pr
theme/signing
theme/sqlite
theme/timetracker
theme/webhook
theme/wiki
No Milestone
No project
No Assignees
3 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lunny/gitea#5123
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "oauth2-auto-register"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Changes
a3366c4
and6e2ece4
)Settings
A new settings section (
oauth2_client
) is added and documented incustom/conf/app.ini.sample
andcontent/doc/advanced/config-cheat-sheet.en-us.md
.Breaking changes?
No. The default settings reflect the current behaviour. And OAuth2 auto-register needs to be manually enabled.
Referenced Issues
Implements #3520 und solves the secondary consideration in #1036.
Codecov Report
48.52% <0.00%> (-2.42%)
2.59% <ø> (ø)
0.00% <0.00%> (ø)
0.00% <0.00%> (ø)
0.00% <0.00%> (ø)
0.00% <0.00%> (ø)
53.05% <ø> (+0.38%)
27.27% <0.00%> (ø)
58.05% <0.00%> (-0.45%)
1.72% <0.00%> (-0.02%)
Continue to review full report at Codecov.
There are some related PRs that might already achieve this functionality. @coolaj86 would you be able to review?
@techknowlogick I've looked over the files to understand the changes broadly, but I'd like to look more closely later this upcoming week and see if I can manually merge into my branch.
@mgjm It looks like there's a lot of value here. You've covered some cases that I haven't covered in my PRs, but the implementation is different so it'll probably take some manual labor to merge them.
Can you provide some screenshots or a screencast (QuickTime Player on OS X has a record option) showing the functionality and changes?
Would you mind going through the login process at https://git.coolaj86.com and let me know if my implementation meets your expectations and needs or not?
Please take a look at https://github.com/go-gitea/gitea/pull/5029 and see if there are checkboxes that are missing or that seem incorrect to you.
I don't think I handled OpenID the same as OAuth2, and it looks like you do, so that sticks out the most as something where we'll probably want pieces of both.
@coolaj86 Oh, i have not seen your PRs. As far as I can see they have a different approach to new external users. In your version an external user still needs to enter a new username, email und real name. But in my version this information is fetched from the identity provider and therefore a local account can be created without additional user interaction.
I think both approaches serve different needs and could (or should) exist at the same time. For example in my use case we have a central SSO identity provider and therefore login should be possible only using this provider (and the user profile can be trusted). But in other situations (e.g. login with GitHub account) a second step to enter a username, real name and so on is the desired option.
This is not really interesting. The user experience is in my version the same as it is currently for users with an already linked account. As soon as they come back from the OAuth2 provider they are logged in. In my version the same applies to users without an account. They get a new one created on the fly. So the end user will not notice a difference between their first login (with account creation) and a later login (when the account already exists).
Might be good to check if
gothUser.NickName
contains only allowed gitea username characters and use that and only if it contains not allowed characters than fallback to UserID as in many providers userid will be cryptic uuidThis sounds good. What should be the handling if two users have the same nickname attribute. I think that should be a configuration option. Depending on whiter the nickname attribute of the provider is unique or not. Or is the nickname unique in all common providers?
Don't know about all, might be good if it would fallback to uid also if user with such nickname exists already
@lafriks The following settings would be possible:
OAUTH2_USE_NICKNAME
Whether to use the nickname or the userIDOAUTH2_USERID_FALLBACK
Whether to use the userID as a fallback or failOAUTH2_REGISTRATION_FALLBACK
Whether to fall back to the registration formOAUTH2_PREFILL_REGISTRATION_FORM
Whether to fill the registration form with the details from the OAuth2 providerIMHO only the first and the last option should be added. The first option (
OAUTH2_USE_NICKNAME
) is quite useful as it allows to use different styles of OAuth2 providers and the last option (OAUTH2_PREFILL_REGISTRATION_FORM
) is probably the most useful option. E.g. a GitHub login would still require the user to create the account in the way it is right now, but the registration form could be pre filled with the account details from GitHub. The validation and error handling of the existing registration form could be used without any changes. (e.g. handling of invalid or already taken usernames)I would not recommend the fallback options. You ether have a trusted provider where it is desired to actually fail if there is a username collision or you have an untrusted provider, but the the normal registration form with pre filled details is the better option. Especially if #5029 is merged and a password is no longer required.
And the desicion whether to do auto registration (with hard failures) or pre fill the registration form would be based on
ENABLE_OAUTH2_AUTO_REGISTRATION
.@mgjm I agree fallback option is probably not the best one and can have undesired consequences. Now thinking hard fail seems way to go.
OAUTH2_USE_NICKNAME
would be good to implement in this PR. Other options would be better to be implemented in other PR to not make this one too big and hard to review.Sounds good. Maybe it is the right time now to add a new settings section
[service.oauth2]
or just[oauth2]
?Yes
[oauth2]
would be good@lafriks
OAUTH2_USE_NICKNAME
is now implemented andENABLE_OAUTH2_AUTO_REGISTRATION
could be added in another PR under the new[oauth2]
section.Edit: And there seems to be a problem with
apt
in the CI system (E: Unable to locate package git-lfs
).http://deb.debian.org/debian
currently gives a404 Not Found
?any news on this?
It would be great if this gets merged in 1.8. Anything I can do to help?
@ -863,3 +943,4 @@
if err := ctx.Session.Set("twofaRemember", remember); err != nil {
log.Error("Error setting twofaRemember in session: %v", err)
}
if err := ctx.Session.Set("linkAccount", true); err != nil {
handleUserCreated
When the login name is not exist but the email is empty, `` is enabled, login will result in 500.
@ -863,3 +943,4 @@
if err := ctx.Session.Set("twofaRemember", remember); err != nil {
log.Error("Error setting twofaRemember in session: %v", err)
}
if err := ctx.Session.Set("linkAccount", true); err != nil {
I saw this in oAuth2UserLoginCallback and copied this pattern. But I can fix this ?
@lunny What is the expected behaviour if the login name does not exist and the email is empty? As far as I know an account cannot be created without an email, so an error is the appropriate reaction. The OAuth2 Provider should have provided the email. If your provider allows to select whether the email is provided, you should probable not use OAuth2 autologin as it is intended for trusted providers.
@mgjm I think we could redirect to binding page and automatically fill some fields.
@lunny This could be an alternative, but I think this would be out of the scope of this PR. See this comment. Once the
OAUTH2_REGISTRATION_FALLBACK
andOAUTH2_PREFILL_REGISTRATION_FORM
configuration is implemented (in another PR) we could redirect to the registration page and prefill the form.But in some use cases it should be an actual error if the email is missing. The current implementation is planed to be used in environments where registration and local accounts are not wanted. (Login only via oauth2 provider), but can be extended in future PRs.
Would love to see this hit master. Imho the point of using oauth providers is to reuse accounts instead of creating new ones - the current implementation does not enable this workflow.
Also I feel pretty uncomfortable about dealing with passwords so it would be great to config Gitea to not store any user passwords at all.
Any way to help move this forward?
Section should probably be renamed to
[oauth2-client]
now that oauth2 is used for servercan we spell this out as email instead of mail? and it also looks like there is an unnecessary new line.
@anoff a password will be used when clone via https.
valid point. Wonder how gitlab handles this in the oauth scenario. I guess setting a separate password on demand? For the people I know SSH is the default way to clone.
@anoff right, a password is not always necessary if you use SSH clone/push
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.
Fixed in
6a3a0e7
.@ -863,3 +943,4 @@
if err := ctx.Session.Set("twofaRemember", remember); err != nil {
log.Error("Error setting twofaRemember in session: %v", err)
}
if err := ctx.Session.Set("linkAccount", true); err != nil {
Fixed in
527c7e6
.+1
@ -625,0 +641,4 @@
u = &models.User{
Name: getUserName(&gothUser),
FullName: gothUser.Name,
Email: gothUser.Email,
@lunny one thing I didnt looked at: does this way also migrate migrated-contend to the user?
do we really need to customize these? Maybe just always request "email profile" if
ENABLE_AUTO_REGISTRATION
is enabled?Profile scope may be usefull even without auto linking. This patch also provides possibility for automatic avatar update from oauth provider.
about scopes ... v1.15.0 development has just started ... a follow up pull is the better choice :)
copyright header
blank line.
works & tests PASS (on my pc)
I would like to copy the description from ini file here and add a warning for
auto
because it may automatically link the two accounts only because the two account have same names. It has some security risks.It mostly make sense if you use email to match + require email validation
Yeah, this should also be added to the docs.
I agree, should we add the long description for the
USERNAME
setting as well?@mgjm I think so.
Added thanks to @kvaster.