bug: ability to let users to authenticate with a private oidc provider only

[vladimirdulov]

Steps To Reproduce

Hello,

We are packaged penpot app for Cloudron (https://cloudron.io).

Recently authentication seems to be changed in v2.1.0 and now we are facing with an issue that login via our Cloudron OIDC provider stopped to work until enable-registration flag is set.

The configuration we'd like to have working:

PENPOT_FLAGS="enable-login-with-oidc disable-registration disable-login-with-password disable-email-verification enable-smtp"

But it causes Registration is currently disabled error if OIDC user authenticates first time.

If we set enable-registration flag, authentication via OIDC starts to work but also Create an account link appears on the login form which doesn't have any sense in our case as we'd like users from Cloudron user directory to authenticate.

maybe you can implement enable-registration-with-oidc flag to automatically create OIDC users or create respective users automatically w/o additional flag?

Expected behavior

The configuration we'd like to have working:

PENPOT_FLAGS="enable-login-with-oidc disable-registration disable-login-with-password disable-email-verification enable-smtp"

maybe you can implement enable-registration-with-oidc flag to automatically create OIDC users or create respective users automatically w/o additional flag?

Actual behavior

But it causes Registration is currently disabled error if OIDC user authenticates first time.

If we set enable-registration flag, authentication via OIDC starts to work but also Create an account link appears on the login form which doesn't have any sense in our case as we'd like users from Cloudron user directory to authenticate.

Screenshots or video

No response

Desktop (please complete the following information)

any browser

Smartphone (please complete the following information)

No response

Environment (please complete the following information)

https://www.cloudron.io/store/app.penpot.cloudronapp.html

Frontend Stack Trace

No response

Backend Stack Trace

No response

Additional context

No response

[thebaultyoann]

I'm not sure, but maybe you could put the flag disable-registration on the frontend container, and enable-registration on the back-end container ?

[vladimirdulov]

@thebaultyoann Thanks for a workaround.
I've tried to implement it and it really hides the registration link and makes OIDC auth working but I suspect there could be some security risks that somebody will still be able to register by submitting necessary data.

[thebaultyoann]

Check the API on the /api/doc endpoint of your penpot url. It exists a route to register people, so I guess yes, somebody can register anyway.

But is that really an issue ?
They could register and create an account, but for that they would need to first know the api endpoints, and then try to add an account.
And even with that, someone that use this user would only have his personnal access to penpot and only through the API if you have the flag "disable-login-with-password"

The only issue could be that someone managed through API requests to put himself into your penpot's team and export all the data you have. I didn't took the time to check, but I don't think Penpot team such a security breach open.

[vladimirdulov]

It's not a problem to research endpoints, params, etc. in the code.

When somebody registers in penpot, an email confirmation arrives to confirm the email address specified, if the person follows by the link he gets an access to the dashboard.

[june128]

Reverting 81b52d7 seems to restore the behavior of OIDC working with disable-registration set. I assume this commit was made in response to #4283.
Tho reverting works as a hotfix, this obviously isn't ideal. A solution might be to allow for more fine-grained control over registrations. Maybe flags like this:

• disable-local-registrations for disabling local accounts registrations.
• disable-oidc-registrations for disabling OIDC account registrations.
• Maybe one for ldap as well? Unsure how that integrates as I don't use it.
• disable-registrations to disable all registrations

I believe these flags should support basically all registration use-cases.

[niwinz]

I will look on it ASAP, and we trigger a patch release when it is fixed.

[niwinz]

Added the enable-oidc-registration flag.

#4963

will be released on the next patch version.

[madalenapmelo-kp]

Hi @vladimirdulov,

Thanks for reporting this! We've added this to our backlog on Taiga so that we can look further into it, you can find the details here: https://tree.taiga.io/project/penpot/issue/8477