Easier registration for first login

[ericchiang]

This was brought up by @fnordahl in #178. For connectors that are implicitly more restrictive, can we have a better first login experience?

Consider adding additional connector options.

Logging in takes you to a page that asks you if you want to register. Clicking yes takes you back to relying party with an identity.

• Might be a good default for dex instances which enable registration.
• Registration step prevents mis-registration by "low friction" remote connectors (e.g. choosing the wrong google account).

Logging in auto registers you:

• Would be enabled on a per connector basis.
• Good for connectors which require more effort to login (e.g. type in your LDAP username and password).

[bobbyrullo]

interesting. maybe "auto registration" for some connectors like this.

[andrewstuart]

As far as I can think, "register" is a bit of a strange action to perform for dex, as an IdP that's primarily concerned thus far with federated identity solutions, and an extra step for end users. Most OIDC clients I've used simply ask if you want to "Log in with google/facebook/github" and will never complain that you haven't explicitly clicked some "register with google/facebook/github" button first. It seems like an unnecessary step, especially from a user perspective. And as a someone who has recently set up dex in an admin capacity for the first time, it was a bit confusing when I realized that registration was not automatic.

So "auto registration" seems to me like the sensible default upon successful AuthN, unless dex is extended to allow account management/creation (which may be planned already; I'm still getting used to the project). That's where I think registration makes a lot more sense. Without that, it's a bit of a confusing distinction.

[bobbyrullo]

Most OIDC clients I've used simply ask if you want to "Log in with google/facebook/github" and will never complain that you haven't explicitly clicked some "register with google/facebook/github" button first

But dex is an IdP, not an OIDC Client - even though it acts as one sometimes.

So "auto registration" seems to me like the sensible default upon successful AuthN,

If we added such a feature, I don't think it would be a good idea to make it a default, because existing installations who upgraded might accidentally get this turned on

unless dex is extended to allow account management/creation (which may be planned already; I'm still getting used to the project

In fact we have some of that in place already, though it is rudimentary.

[andrewstuart]

But dex is an IdP, not an OIDC Client - even though it acts as one sometimes.

Right, so what I mean is that the clients of dex would have to be explicitly aware, and make their users aware, that there's a difference between your first time logging in with dex, and every other time logging in with dex, which is not a common distinction among OIDC Providers.

So even if it's not the default, I think it's a desirable feature across all external identity management systems that dex can connect to. :-)