Login via OpenID-2.0 #618
Login via OpenID-2.0 #618
Conversation
|
@stevenroose if you want to take a look at the new approach that'll help. |
tboerger
added
the
lgtm/need 2
models/user.go
Outdated
| @@ -86,6 +86,7 @@ type User struct { | |||
| Orgs []*User `xorm:"-"` | |||
| Repos []*Repository `xorm:"-"` | |||
| Location string | |||
| OpenID string `xorm:"UNIQUE"` | |||
There was a problem hiding this comment.
Then OpenID should be null default.
modules/setting/setting.go
Outdated
| @@ -689,6 +690,7 @@ please consider changing to GITEA_CUSTOM`) | |||
| CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible") | |||
| ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER") | |||
| MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) | |||
| EnableOpenIDLogin = sec.Key("ENABLE_OPENID_LOGIN").MustBool(true) | |||
There was a problem hiding this comment.
For compatible consideration, default should be false.
|
Why not implemented as a login type like SMTP or PAM? |
lunny
added
the
type/feature
bkcsoft
added
type/proposal
|
I'm also not very happy about introducing new "first-class login-methods", should IMO be implemented like PAM/SMTP/LDAP. Unless you have a really good reason not to 😉 |
|
On Sun, Jan 08, 2017 at 05:21:33PM -0800, Lunny Xiao wrote:
> + OpenID string `xorm:"UNIQUE"`
Then `OpenID` should be `null` default.
How do I specify that I want a `null` default ? That's what I want.
|
|
On Sun, Jan 08, 2017 at 05:22:34PM -0800, Lunny Xiao wrote:
+ EnableOpenIDLogin = sec.Key("ENABLE_OPENID_LOGIN").MustBool(true)
For compatible consideration, default should be false.
Enabling OpenID Login doesn't break any compatibility.
Anyway it's still too early to deal with this, for now it helps
developers/testers.
|
|
On Sun, Jan 08, 2017 at 05:24:58PM -0800, Lunny Xiao wrote:
Why not implemented as a login type like SMTP or PAM?
That's what the previous attempt tried to do, but the code
to do that ended up being very convoluted: the code did not
expect multi-step login process so I had to use an "ErrorDelegatedAuth"
object as an hack to bend it in; it made no sense to have multiple
"OpenID" login options (like it would to have multiple SMTP authentications);
there was no easy way to handle the "failed login, try next thing" as OpenID
does not have a username/password pair to pass on ...
…--strk;
|
|
On Sun, Jan 08, 2017 at 05:31:07PM -0800, bkcsoft wrote:
I'm also not very happy about introducing new "first-class login-methods", should IMO be implemented like PAM/SMTP/LDAP. Unless you have a _really_ good reason not to 😉
As noted in the other answer, all of PAM/SMTP/LDAP rely on a username/password
pair, and are all checked synchronously. OpenID behaves differently so
abstracting it to look like PAM/SMTP/LDAP makes the code very convoluted
with no obvious advantage. For example you still need a different form.
|
|
Another thing: when you successfully authenticate via OpenID but no
local user with such OpenID is known, the OpenID Login should prompt
you to register as a new user OR "connect" your OpenID to an existing
account, providing username/password to confirm it belongs to you.
Once again this mechanism is very far from the PAM/SMTP/LDAP auth methods.
|
|
|
On Mon, Jan 09, 2017 at 12:26:59AM -0800, bkcsoft wrote:
> How do I specify that I want a `null` default ? That's what I want.
`xorm:"UNIQUE default null"`
I've just checked and at least on PostgreSQL those field already
have a default of null. Is that not the case for other backends ?
|
Better to be specific than to depend on current behaviour :) |
|
TODO:
|
|
For the record: openid.stackexchange.com works as a provider with this implementation |
|
For the record I've just tested this implementation against GNUSocial OpenID provider and it does work great :) |
I'm less familiar with OpenID's internals. Does it provide an authenticated email address? One thing I've seen when authenticating with my google account is that it acts as an alternative auth mechanism... IE once or twice I forgot that I'd originally signed up on a website with a username & password and later just clicked the "login with google" button. The result was that it logged me in without question (or asking my password). Likewise many sites provide a streamlined account creation (skipping the email verification step) as google verifies the email. |
|
OpenID only provides proof of someone being in control of the content
in an URI. Optionally provides some information about the URI "owner",
like `nickname` and `email`, but if you do want a proof of the user
really owning an email you'll have to verify that yourself (or trust
the URI publisher to be in charge of those kind of checks).
So: the registration process still needs to ask you for a username
and an email (for which proposals may be provided via OpenID), signin
would only need to ask you for an URI.
If you have a stackexchange account you can already try this out,
checkout this branch and enter "openid.stackexchange.com" as your
OpenID login...
Likewise many sites provide a streamlined account creation (skipping the email verification step).
Again, this relies on trusting the Identity Provider in their checking
user information, which is something you cannot really expect to be
able to do when willing to let anyone run their own identity provider.
NOTE in the current state of this branch there's no email checking
(I hadn't looked if Gitea has support for those kind of verifications
either).
|
|
Is the OpenID login could be disabled? |
|
Yes. It is disabled by default and has an entry in the configuration file.
On Mar 17, 2017 5:28 AM, Lunny Xiao <[email protected]> wrote:
Is the OpenID login could be disabled?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#618 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ANQ-1QdE0d4ckarvhzn8cIAhBIIdrCTCks5rmlJLgaJpZM4Ld07o>.
|
|
Yeah it's good enought for now. We could iterate on it later if it becomes a pain 🙂 |
|
I am not sure if it is this PR or not, but I think this PR may be causing issues with GitHub OAuth2. |
|
@geek1011 I cannot reproduce issues with OAuth2 on my local system,
please file a new ticket with more information about your setup
|
|
Just a side question: If I rebase my work, the PR relinks all commits and the code-reviewers have to work all over again. How can I prevent this from happening? Tons of merges (as I have to keep it in-sync with development branch) is surely working but not always wanted as it causes a complex GIT history. And thank you @strk for your work. 👍 |
|
Is this installed at https://staging.geek1011.net/ ? Because when I try to login with my OpenID at https://social.mxchange.org/roland, I noticed two things:
cookies and JavaScript are allowed. |
|
This branch is actually merged to master now, and functionality is exposed on try.gitea.io |
|
@Quix0r please file a ticket if things don't work for you. |
|
BTW: you might be interested in some OpenID merge requests I filed for GNUSocial, as I see your instance is also affected. Take a look at these: |
|
Okay, seems to work here: https://try.gitea.io/Quix0r So I guess it is not my instance (it is now pure GS code, without my changes). |
|
Hi, just to raise a question in a related issue before creating a new one. Are there any plans to support OpenID Connect as well, or are we staying with OpenID 2.0? |
|
Not working anymore: |
|
OpenID-Connect could be added as one of the flows supported by the
OAuth2 provider. I don't think anyone is working on it but that's
likely the plan, want to help ?
|
|
ah, great, thanks for testing! |
|
Correct dex link, for the record: https://github.com/coreos/dex |
|
Umm that link to |
|
@sbrl sorry, already updated the link |
|
Is it possible to force OpenID auth and to a certain provider ? My usecase is as follow: I would like to integrate Gitea in a more global solution containing other tools. I would like users to be able to connect through the OIDC server of this solution and going to gitea seamlessly. So, I would like a way to redirect the Gitea login page to this specific OIDC server only in order to connect and use the complete sets of OIDC RFCs to manage sessions, user logout (frontend and backend), user lifecycle (insert, update, delete, frontend and backend). Thanks. |
|
Please do not comment on old merged PR. For feature requests open new issues for questions please use our discord channel or gitea forum https://discourse.gitea.io/ |
This branch superceeds the one in #271,
fixes #185 (once ready)
This version does not make "OpenID" a "Login Source"
but rather a first-class login method which is alternative
to the "username"/"password" pair.
The idea is to allow users to add their OpenID in the settings
and to allow registering via OpenID. Code is not yet complete.