Add setting to force login through openid #21851
Conversation
techknowlogick
added
type/enhancement
|
Hey! Thanks for this PR! For approach I'd suggest perhaps using a flag in the auth settings rather than a hardcoded URL/setting this in app.ini. Perhaps a checkbox on this page, for "force login via this auth" (or something like that). If this is not enough details on the direction I am suggesting please let me know and I can provide additional details :) |
GiteaBot
added
the
lgtm/need 2
|
Hey @techknowlogick |
| if checkForceOAuth(ctx) { | ||
| return | ||
| } | ||
|
|
||
| orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers() |
There was a problem hiding this comment.
This is great! Thank you so much!! Are you able to re-use this GetActiveOAuth2Providers call, to reduce the duplication of DB calls?
There was a problem hiding this comment.
I tried that but sadly the map of Providers that GetActiveOAuth2Providers returns is a different object that doesn't contain all the Source attributes, including my ForceOAuth parameter
|
@tiltingpenguin, ah just saw your comment after making my comment. Yeah, let me get an example of what you could use for saving that setting. |
|
Hey @techknowlogick , any update on this? |
|
The reason for the setting not being saved turned out to be the variable naming in the templates |
GiteaBot
added
lgtm/need 1
|
I don't think it's quite ready yet, I probably have a bug in which OAuth app I redirect to and it might be better to not just redirect to the first one with the setting and instead check if multiple OAuth providers are forced |
This PR aims to add a setting that skips the normal login and redirects automatically to the openID login/the configured openID provider The desired behavior can be observed at https://gitea.opensuse.org/ BLENDER NOTE: this is is PR go-gitea#21851, in the hope that this will be merged upstream.
|
At Blender we also need this functionality, so thanks! We still wanted a way to skip the redirect. This commit adds |
|
So in testing this I don't understand why this involves creating an application. Those are meant to give third-party application access to user accounts on Gitea., but what we want to do is the other way around. Is there any reason the redirect URL is not just the same URL found on the /user/login page when the force oauth option is off? That would work without having to create an application. |
|
@brechtvl Im not sure what you mean, you should only need to create an auth source in the admin dashboard and then check the box. Are you able to describe the flow you are seeing in terms of URLs and redirects? |
| for _, source := range authSources { | ||
| if forced, ok := source.Cfg.(auth_service.ForceOAuth); ok && forced.IsOAuthForced() { | ||
| OAuthList = append(OAuthList, source.ID) | ||
| app, err := auth.GetOAuth2ApplicationByID(ctx, OAuthList[0]) |
There was a problem hiding this comment.
Here it looks up an application to get the redirect URL, not an authentication source.
|
To get this working you have to go to the "Applications" tab, create an application and then fill in the appropriate redirect URL. I only understood this from reading the code. |
|
So what you mean is that the OAuth Application where I'm getting the redirect URL from is not the same as the OAuth source? I might have gotten this wrong but in my testing with openID it worked without configuring anything but the authentication source. |
|
Hmm... I'm guessing here that what you actually want to do is to disable login with username/password. In which case this seems like the wrong thing to do as it is hacking around the inability to do that. |
|
@zeripath in the case of Blender (and also my personal use) there is a default provider that should be used for the majority of users, so login link would take you through that flow, but then for the one or two local accounts that is what the query string option to show form would be used for. In the case of people misunderstanding that this would block local logins, for the querystring option I've asked that documentation be added. |
|
@brechtvl ah, I was testing from a non-fresh DB. Thanks for that info. |
|
@techknowlogick I do not know why it could be approved now. At least, I can see some code-level problems:
And I guess there would be some design problems:
|
|
@wxiaoguang To address some of your concerns
About the design:
|
|
Thanks for the detailed explanations 👍 My opinions are: About code-level:
About design:TBH I haven't thought about the details carefully. Just share some here:
|
|
Yes, the goal is to guide users to an auth source by default. But in the case of oauth that makes it difficult without just redirecting the user. For our use case we mostly wanted to cut out the extra step of having the local login displayed and so the automatic redirect was the first approach. While I agree that having a different option for the admin than to manually change the url I don't really see a better way that doesn't involve refactoring the whole login page like you mentioned. And to be honest doing that is way out of my scope and I don't really have the time to implement that. I don't mind adapting the PR though and if you have some proposal that would bring this feature to an acceptable level for you (within reasonable effort) I will try to do that. |
|
@techknowlogick what's your opinion? |
|
ping |
|
@wxiaoguang thank you as always for your thorough reviews. And thank you @tiltingpenguin for your patience as the review on this continues. What about instead of redirecting the login route, the login link itself would change destination to the preferred provider? That way there is no issue with the querystring, and multiple auth providers are still available. |
|
That sounds like a good solution to me. If nothing speaks against it I will go and implement that then |
Finally, the SAML request comes. So it really needs a general approach. |
|
I don't have any experience with SAML so for now I would prefer just supporting OAuth with this option and maybe implement SAML support later |
| var OAuthList []int64 | ||
|
|
||
| for _, source := range authSources { | ||
| if forced, ok := source.Cfg.(auth_service.ForceOAuth); ok && forced.IsOAuthForced() { | ||
| OAuthList = append(OAuthList, source.ID) | ||
| app, err := auth.GetOAuth2ApplicationByID(ctx, OAuthList[0]) | ||
| if err != nil { | ||
| return false | ||
| } | ||
| url := app.PrimaryRedirectURI() | ||
| ctx.Redirect(url) |
There was a problem hiding this comment.
For reference, we simplified like this to avoid involving the application unnecessarily.
| var OAuthList []int64 | |
| for _, source := range authSources { | |
| if forced, ok := source.Cfg.(auth_service.ForceOAuth); ok && forced.IsOAuthForced() { | |
| OAuthList = append(OAuthList, source.ID) | |
| app, err := auth.GetOAuth2ApplicationByID(ctx, OAuthList[0]) | |
| if err != nil { | |
| return false | |
| } | |
| url := app.PrimaryRedirectURI() | |
| ctx.Redirect(url) | |
| for _, source := range authSources { | |
| if forced, ok := source.Cfg.(auth_service.ForceOAuth); ok && forced.IsOAuthForced() { | |
| ctx.Redirect(setting.AppSubURL + "/user/oauth2/" + source.Name) |
There was a problem hiding this comment.
At least for my test case (openID) this doesn't work because you still land on the local login page
yardenshoham
added
the
outdated/backport/v1.19
delvh
added
the
modifies/cli
wxiaoguang
removed
the
outdated/backport/v1.19
This PR aims to add a setting that skips the normal login and redirects automatically to the openID login/the configured openID provider
The desired behavior can be observed at https://gitea.opensuse.org/
Fixes #21741