Implement OIDC_AUTO_REGISTER setting #4831
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for offering this @AMDHome, but I really try to avoid adding new options unless very much proven to be required, especially where added to meet business/process logic rather than to meet the spec when it comes to auth. This would ideally be done via an issue thread to gain feedback and allow opportunity to think about alternative options. Could you create an issue instead to start this off? You could still link to this PR as a potential implementation example, even if closed. |
1 task
|
Closing in favour of alternative solution discussed in #4833 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds a setting for OIDC_AUTO_REGISTER. This behaves similar to the other third party authentication setting XXXX_AUTO_REGISTER.
Behavior
Defaults to true
When set to true everything behaves as it currently does. If an account does not exist for an OIDC login, then it will be automatically created for them. If it does exist then the user can log in.
When set to false, Oidc logins will fail if a user was not created beforehand. Failure message is set to
auth.failed. In order to log in you must first create an account with another admin account and manually input the External Authentication ID.Why this would be helpful
I work for a university, and our department would like to implement bookstack while using our university's authentication services to handle logins.
Problem is anyone affiliated with the university has a login, but I only want people from my department to have access to our bookstacks instance. Everyone at this university knows their own External Authentication ID so it makes it easy for us to create the accounts manually and control who has access.