Link user to custom OAuth provider

[fischermario]

I'm using Keycloak as an OIDC IdP for Casdoor. I have created a custom OAuth provider in Casdoor according to the official manual.

Unfortunately I cannot link the Casdoor user to the user in Keycloak as the "Link" button in Casdoor is disabled:

The login works as expected if I manually add the User-ID of the Keycloak user to the "custom" column in the "user" table of the Casdoor database.

1. Is there any way to do this in the UI instead?

2. What happens if I want to add a second (or third) custom OAuth provider?

3. Why are there dedicated columns for OAuth providers in the "user" table in the Casdoor database? Wouldn't it be wiser to have a link table to associate only active 3rd party logins (and therefore avoid overhead)?
   This kind of "hard-coding" was also mentioned in Be able to link & unlink any 3rd-party login in the account page #36.

4. When I add the Keycloak SAML provider the user seems to be associated automatically (although I cannot test it due to a bug which I described in Wrong application name with Keycloak SAML login #1662). Why does this work differently?

[casbin-bot]

@seriouszyx @ComradeProgrammer @Resulte

[hsluoyz]

@fischermario which Keycloak version do you use?

[fischermario]

@hsluoyz: For the OAuth tests I'm using the latest release 21.0.1 of Keycloak.

[leo220yuyaodog]

@fischermario 1. Only the user itself can do the link and unlink action.
2. After user login successfully, the custom column will be overided by custom provider type this time used.
3. I'm also do not know why it was designed that way. You can ask for @hsluoyz

[hsluoyz]

@fischermario

1. a normal user can link and unlink for himself. The admin can unlink another user, but cannot link for another user because the user will bind to a social login owned by admin. It doesn't make sense.
2. Currently only one custom provider is supported. We don't want to maintain a link table, it will make things difficult to maintain and performance is also not good. We are a small team and we don't want to take huge efforts just for a very rare use case. How many custom providers do you need? I think we can add up to 3 columns in DB: custom, custom2, custom3. Hard-code is the most simplest.
3. Same above
4. SAML and ODIC are different channels, even for the same KeyCloak.

[fischermario]

@hsluoyz
@leo220yuyaodog

1. I may have to explain my use case a little more: There is no self-service for the user that involves logging into the Casdoor UI. All communication between the application and Casdoor (except the interactive login process itself) is done via the Casdoor API (like creating new users and setting properties).

2. + 3. This comes at the price of a lot of overhead in the database because usually only a few providers are being used. Why are you dimissive of the idea of using a link table and doing a join during the database query? Is the ORM a limiting factor?

3. Different handling of SAML and OIDC is something that I suspected. Is it possible to have the chance of setting the same behaviour for SAML and OIDC? It would be great to have a setting that allows all users in an organization to login with a provider that is associated to the currently used application. Would that be feasible?

[hsluoyz]

@fischermario

1. I don't understand what you said.
2. We value more of our development overhead than database storage overhead. As you see, we have a long list in the GitHub issues and this (maintain another DB table) is not a high-priority one compared to others. So we will not put more efforts on this one. If you want to contribute a PR for it, it may be acceptable.
3. SAML and OIDC are two different protocols and handled in different code part inside Casdoor. We aim to provide "similar" UX at high level. So if the "Custom" provider channel cannot link the user, report the bug and we will try to fix it.

[fischermario]

@hsluoyz

1. What I mean is that the users of my application will not be able to log into Casdoor to click the "Link" button. I wanted this step to be done automatically.

2. I understand your concerns. As of now my time is limited too, but I will take care of Does casdoor support revoke oauth2 access token? #1574 first.

3. Understood. Thanks for the clarification.

[hsluoyz]

For 1., we already said, that button is gray because we don't allow admin to "Link" for another user, even if you are an admin. E.g., you are admin, you can NOT click "Link" button for alice. Even if you are admin, you cannot do this. It's just forbidden by the system. admin can only click "Link" button for the same admin user (the same org and the same name)

So ALL people can only link for himself (aka in this page: https://door.casdoor.com/account instead of: https://door.casdoor.com/users/built-in/erguotou520)

If you still found a bug when a user links for himself, please create a new issue. Given this issue's topic is diverged too far away, it will be closed now.