lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard
verified publisher icon LemmyNet

Implement logging in via external identity providers

Open thepaperpilot opened this issue 2 years ago • 5 comments

Description

Implements https://github.com/LemmyNet/lemmy/issues/2930. I believe https://github.com/LemmyNet/lemmy/issues/489 is a duplicate of that issue, and would also be considered implemented by this. Note that this does NOT make lemmy itself an identity provider, and thus does NOT implement https://github.com/LemmyNet/lemmy/issues/1368.

External auth methods can be added via the admin settings, and then buttons are shown on the login page to use those auth methods instead of "basic" auth (username + password). The implementation supports both OAuth or OIDC auth methods, and can register non-existent users as well (if a new setting is explicitly turned on).

Other frontends that wish to support these external auth methods can use the changes in lemmy-ui as a reference. They'll need to show the buttons to go to the authorization URL with the appropriate redirect URI, and then implement the endpoint at that URI that takes the auth cookie and navigates to the redirect URI param it was passed. Optionally, frontends can also implement the new admin settings.

Future Work

Most of these are not implemented because my understanding is lemmy-ui is getting replaced soon-ish anyways and these are tasks that would take awhile to implement which is probably not worth it imo.

  • Make frontends have convenient presets for common identity providers (like Google, Github, Discord, etc.) that hides the well-known fields (i.e. just show client ID and secret).
  • PKCE support (more secure version of OAuth)
  • If auto-registration is disabled, bring non-existent users to modified version of the signup page where the email is pre-filled and readonly, and the password field is hidden
  • Improve error handling/messaging (for example if an external auth method fails to save due to a non-unique client ID)

Related PRs

Screenshots

image

image

thepaperpilot avatar Dec 08 '23 17:12 thepaperpilot

Woodpecker is failing but it works for me locally. I'm not totally sure how to handle the error it's giving. Could one of the reviewers help me out?

thepaperpilot avatar Dec 09 '23 09:12 thepaperpilot

CI seems to fail because there is a mismatch between the sql schema and the db struct defined in crates/db_schema/src/source/external_auth.rs. Try running diesel migration redo to get the exact db state defined in your migration, if that doesnt help wipe the db first.

Anyway we are currently busy preparing for the Lemmy 0.19 release, so this will have to wait a while for review.

Nutomic avatar Dec 11 '23 10:12 Nutomic

We'll be able to look at this in greater detail after the new year. The failing lint means you need to run cargo +nightly fmt

dessalines avatar Dec 18 '23 20:12 dessalines

Thanks! I plan on also addressing the rest of nutomic's feedback, just haven't been rushing since it's way too late to get into this release.

Would it make sense to add that cargo command as a pre commit step?

thepaperpilot avatar Dec 18 '23 20:12 thepaperpilot

Cool, no rush.

Would it make sense to add that cargo command as a pre commit step?

We used to use Cargo husky to do that (both fmt and clippy), but stopped using it because

  • It couldn't run on nightly
  • Sometimes takes a long time to run clippy
  • It requires you to run cargo test locally to set up the hooks, which a lot of ppl starting new PRs don't do.

So now we just let CI tell you the errors. You can set up your own git pre-commit hook tho.

dessalines avatar Dec 19 '23 14:12 dessalines

Outdated, feel free to reopen when you work on it again.

Nutomic avatar May 17 '24 09:05 Nutomic