-
-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.x] OAuth: option not to create or update user during authentication #10853
[5.x] OAuth: option not to create or update user during authentication #10853
Conversation
Doc issue: statamic/docs#1464 |
Are you using a custom guard? |
Not for logging into the control panel. I know I can create my own controller. But on the other hand, I think the auto-create feature could be configurable. Until I implement oAuth I create users manually, after implementing oAuth this process will change and (unauthorized) users will be created uncontrollably. |
So if you don't have a custom guard... when someone tries to use OAuth to log into Statamic and you choose not to create a user account, nothing happens. You aren't logged in. I must be missing something? |
No, when someone tries to use OAuth to log into Statamic, he is redirected to the OAuth authentication site. There he is authenticated and he is returned to Statamic. In Statamic callback URL ( Without OAuth:
With OAuth now:
Result: there can be thousands of unauthorized users in the CP users section. With OAuth as I suggested:
Result: in the CP users section there are only those users created by the admin |
Are anybody gonna solve this problem? Or should I create an addon? |
If you're able to solve this with an addon I would say go for it. To be honest I don't understand your situation. If you don't have a user in Statamic/Laravel, there's nothing to be logged in with. The only thing that gets saved to the session is the user id - the whole user doesn't. |
But that's the point: don't save anything to the session if the user doesn't exist. No user in session nor his ID (the sentence "the user's identity would be saved in the session" in my description from 1st Oct. above was wrong). My client is used to creating administrator user accounts in the Users section. How should I explain to him that he suddenly has a hundred users in the system? You can ask yourself: what happens when a non-existent user tries to log in by email and password? Is he created? Is he or his email saved to the session? No, only the screen is shaking :-) And I would like the same behavior with OAuth authentication. I already created my private addon. But my suggested solution is configurable and by default same as native Statamic OAuth. |
I see. You only want to use OAuth to match the email with an existing user that you manually created. |
Yes |
Problem
When implementing oAuth authentication, non-existent users are created (as unauthorized users).
I understand why that is. Normally, in applications, the user logs in with oAuth and registers directly. But I don't need this feature in the CMS administration.
We have corporate oAuth authentication, through which we authenticate in all corporate applications, and I don't want to have hundreds of unauthorized users in the "users" section of Statamic.
Solution
I suggest extending the statamic.oauth configuration option to disable/enable automatic user creation and update.
Usage
Just add config options to the
config/statamic/oauth.php
:In case of unauthorized user there is the option to change redirect URL:
Back compatibility
As you see in the
src/Http/Controllers/OAuthController.php
, default configuration values do not change the behavior of the current version. So the user will be created and his data will be merged.