[BUG] Google oauth doesn't allow access to new users

[Leen15]

Fider Cloud or Self Hosted
Self Hosted Fider, version 0.21.1

Describe the bug
We are testing Fider in private mode enabling the google oauth provider.
We expect that any user can access the service using the oauth provider as specified in the description of the privacy mode:
A private site prevents unauthenticated users from viewing or interacting with its content. When enabled, only already registered users, invited users and users from trusted OAuth providers will have access to this site.
Instead, only oauth users that match with the email of manually added users can login.

I don't know if it's the reason, but I found a PR ( #1068 ) that should allow oauth providers to be set as "trusted" BUT it seems that system providers are not set as "Trusted" by default and there is no way to change them (it's hardcoded):

fider/app/services/oauth/oauth.go

Line 83 in 44958bf

IsTrusted: false,

Any help on this?
Thanks

[goenning]

Hey @Leen15 this is actually expected.

if we set google/facebook/github as Trusted, then any user from this platform would be able to sign in to the private site.

Trusted providers are meant to be used only on custom OAuth to allow only some users, this is most commonly used to restrict a private site to employees only

[Leen15]

Thank you @goenning , I understand your pov.
Unfortunately this totally exclude the option to use Google oauth with internal applications, commonly used by companies to allow oauth access to only users with a specific company domain.
Also, this exclude the option to use fider only after a signup (but without the need to manually invite users) avoiding anonymous users to use the service.

[goenning]

Are you using Google Workspaces? You should then use custom OAuth and just enter your details there.

The system OAuth is for public access.

[Leen15]

Are you using Google Workspaces? You should then use custom OAuth and just enter your details there.

The system OAuth is for public access.

Yes we are, but we cannot find any example to set up it with a custom OAuth in Fider (https://fider.io/docs/configuring-oauth). Usually we only have to set up ClientID and the Secret for a google login.
Can you give us a hit about what should we set in every field with Google provider?

[Leen15]

If somebody else needs to do the same, this is the configuration to set Google as a custom OAuth Provider:

• Create a "OAuth 2.0 Client ID" in Google Cloud Console, leave the "Authorised redirect URIs" empty.
• Create a new OAuth Provider in Fider and set as follow:

Client ID: <provided by google>
Client Secret: <provided by google>
Authorize URL: https://accounts.google.com/o/oauth2/auth
Token URL: https://oauth2.googleapis.com/token
Scope: https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Profile API URL: https://www.googleapis.com/oauth2/v1/userinfo?alt=json
Trusted Source: Yes
Status: Enabled

• Press save, then get the Callback URL provided by Fider and set it in the "Authorised redirect URIs" in Google Cloud Console.

You should now be able to access using google.