gotosocial icon indicating copy to clipboard operation
gotosocial copied to clipboard

Published 20 hours ago verified publisher icon superseriousbusiness

[feature] overhaul the oidc system

Open theSuess opened this issue 2 years ago • 11 comments

Since I'm very interested in this topic, I've built a draft to implement my feedback on #763, #917 and #309

This is by no means final, and very much intended as a base for further discussions on these issues.

It works by intercepting the first OIDC callback of a user and returns a small page for customizing the username if no matching user is found. The text field is prefilled with the preferred_username claim.

image

It also performs validation and checks the DB for colliding usernames

The biggest open topic IMHO is finding a way to migrate existing OIDC setups to the new ExternalID field. I honestly have no idea what would be the best approach here

theSuess avatar Nov 05 '22 12:11 theSuess

I had an idea for a graceful migration path:

  • Introduce a config flag to try matching the email to existing users
  • If a user already exists for a login request but does not have the externalID set, ask the user if they want to link the account
  • If yes, populate the externalID field
  • If not, ask the user to provide a new username

What do you think about this?

theSuess avatar Nov 10 '22 16:11 theSuess

I had an idea for a graceful migration path:

* Introduce a config flag to try matching the email to existing users

* If a user already exists for a login request but does _not_ have the externalID set, ask the user if they want to link the account

* If yes, populate the externalID field

* If not, ask the user to provide a new username

What do you think about this?

I've now implemented this (without the step of asking for a new username for now).

With this, we have a migration path for servers already using OIDC

theSuess avatar Nov 12 '22 09:11 theSuess

Heya, apologies for being slow to respond to this, it's been rather a hectic week :')

This looks good to me so far! At least, I don't see any glaring issues, but will have to try it out on gts.superseriousbusiness.org (which uses oidc) to see how it works :)

One thing you missed is adding the new config flag to examples/config.yaml, and also updating the documentation here https://github.com/superseriousbusiness/gotosocial/blob/main/docs/configuration/oidc.md.

Once those things are done, I think you can mark this as ready for review and we can have a proper look through it.

Thank you, this is great work!

tsmethurst avatar Nov 12 '22 11:11 tsmethurst

No problem, I'm just happy to hack on something not work-related :grin:

I've added the docs and example config. I always seem to forget at least one place when adding new config options :D

Also marked this PR as ready :crossed_fingers:

theSuess avatar Nov 12 '22 14:11 theSuess

This looks good to me :) @NyaaaWhatsUpDoc do you also wanna review or nah?

tsmethurst avatar Nov 13 '22 13:11 tsmethurst

hey @theSuess , can you merge main into this or rebase to resolve the merge conflicts? then i'll look at it afresh

tsmethurst avatar Nov 20 '22 17:11 tsmethurst

Rebased and tested

theSuess avatar Nov 21 '22 15:11 theSuess

I'll take a look at this today too :) sorry I managed to miss your notifications on this @tsmethurst

NyaaaWhatsUpDoc avatar Nov 22 '22 08:11 NyaaaWhatsUpDoc

No worries pal :)

tsmethurst avatar Nov 22 '22 08:11 tsmethurst

I have started to review this, but I have ran out of spoons for the evening, and it is late. I shall get back to it tomorrow evening most likely :)

NyaaaWhatsUpDoc avatar Nov 23 '22 22:11 NyaaaWhatsUpDoc

i suggest we merge this once 0.6.0 is out, so we have time to mess about with it :)

[edit] Also sorry for the constant need for rebases dominik :grimacing:

tsmethurst avatar Nov 26 '22 11:11 tsmethurst