unexpected behavior when disabling built-in user authentication

[pameyer]

For an installation with OAuth only authentication, disabling built-in users results in unexpected behavior in the login page:

before disabling built-in accounts

[root@dv-dev ~]# curl -X GET http://localhost:8080/api/admin/authenticationProviders | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
120 481 120 481 0 0 9268 0 --:--:-- --:--:-- --:--:-- 10688
{
"data": [
{
"enabled": true,
"factoryData": "type: XXXXX | userEndpoint: XXXXXX | clientId: XXXXXX | clientSecret: XXXXX",
"subtitle": "",
"title": "ORCID",
"factoryAlias": "oauth2",
"id": "orcid-sandbox"
},
{
"enabled": true,
"factoryData": "",
"subtitle": "Datavers' Internal Authentication provider",
"title": "Dataverse Local",
"factoryAlias": "BuiltinAuthenticationProvider",
"id": "builtin"
}
],
"status": "OK"
}

disable built-in account:

[root@dv-dev ~]# curl -X PUT -d 'false' http://localhost:8080/api/admin/authenticationProviders/buil
tin/enabled

after disabling:

{"status":"OK","data":{"mGET http://localhost:8080/api/admin/authenticationProviders | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
120 482 120 482 0 0 28656 0 --:--:-- --:--:-- --:--:-- 48200
{
"data": [
{
"enabled": true,
"factoryData": "type: orcid | userEndpoint: XXXX | clientId: XXXX | clientSecret: XXXX",
"subtitle": "",
"title": "ORCID",
"factoryAlias": "oauth2",
"id": "orcid-sandbox"
},
{
"enabled": false,
"factoryData": "",
"subtitle": "Datavers' Internal Authentication provider",
"title": "Dataverse Local",
"factoryAlias": "BuiltinAuthenticationProvider",
"id": "builtin"
}
],
"status": "OK"
}

[pdurbin]

@pameyer does restarting Glassfish help?

[pdurbin]

Oh, "false" doesn't do anything. You have to delete the built in provider. I think I documented this but you can fact check me. 😄

[pdurbin]

I'm looking at what I wrote and it's confusing. As of http://guides.dataverse.org/en/4.8.2/installation/config.html#auth-modes-local-vs-remote-vs-both it says this:

---

"Remote only" mode should be considered experimental until #2974 is resolved. For now, "remote only" means:

• Shibboleth or OAuth has been enabled.
• :AllowSignUp is set to "false" per the :doc:config section to prevent users from creating local accounts via the web interface. Please note that local accounts can also be created via API, and the way to prevent this is to block the builtin-users endpoint or scramble (or remove) the BuiltinUsers.KEY database setting per the :doc:config section.
• The "builtin" authentication provider has been disabled. Note that disabling the builting auth provider means that the API endpoint for converting an account from a remote auth provider will not work. This is the main reason why Login page for "only remote authentication" mode #2974 is still open. Converting directly from one remote authentication provider to another (i.e. from GitHub to Google) is not supported. Conversion from remote is always to builtin. Then the user initiates a conversion from builtin to remote. Note that longer term, the plan is to permit multiple login options to the same Dataverse account per Permit multiple login options to the same Dataverse account #3487 (so all this talk of conversion will be moot) but for now users can only use a single login option, as explained in the :doc:/user/account section of the User Guide. In short, "remote only" might work for you if you only plan to use a single remote authentication provider such that no conversion between remote authentication providers will be necessary.

---

Maybe I'm wrong about that false/enabled thing. I don't know. Again, I think you have to delete the whole auth provider and restart Glassfish. If that doesn't work I would suggest reading through #2974.

[pdurbin]

I see that over at #2974 (comment) I wrote, "The main code change I added is to not show the suggestion to convert your account if you have deleted the builtin auth provider."

[pameyer]

restarting glassfish didn't help; and deleting the build-in provider didn't help. :AllowSignUp was at no , changing to false didn't change behavior.

Guessing this is related to the id="otherProviders" jsf:rendered="#{LoginPage.listAuthenticationProviders().size() > 1}">; will investigate further

[pameyer]

Initial guess was incorrect. isOAuthProvider should be called from jsf:rendered="#{LoginPage.authP ; appears to be called for built-in users (returning false, as it should); appears not to be called (at least, does not trigger breakpoint) for OAuth providers (nope, wasn't that either).

[pdurbin]

Today I let @pameyer know about :DefaultAuthProvider at http://guides.dataverse.org/en/4.8.3/installation/config.html#auth-modes-local-vs-remote-vs-both which might mitigate the problem. Or might not. We'll see. 😄

[pameyer]

@pdurbin Thanks for the suggestion - this does appear to work.

[djbrooke]

Thanks @pdurbin !

[pdurbin]

Sure. As I said at #4267 (comment) the documentation is confusing, so maybe this issue should be about cleaning it up.

[pdurbin]

@pameyer heads up that I just marked pull request #6105 as closing this issue. I guess I'll go request a review from you. 😄