Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth Login Plugins #83

Open
wehowski opened this issue Jan 24, 2025 · 8 comments
Open

OAuth Login Plugins #83

wehowski opened this issue Jan 24, 2025 · 8 comments
Assignees
Labels
idea Ideas third-party Ideas and Requests for third-party tools and plugins

Comments

@wehowski
Copy link
Collaborator

Just a note:
Regarding Logon with Webfan, Login with Google Plugins:
Emails can change, so instead of linking the ra-mail to the provider-email we MUST link the provider-provider-user-id with the RA-ID!
An extra table is needed, I will write a generic OAuth Plugin instead one Plugin for each provider...

@wehowski wehowski added the idea Ideas label Jan 24, 2025
@wehowski wehowski self-assigned this Jan 24, 2025
@danielmarschall
Copy link
Owner

Sorry, but this would significantly impace the whole way the core is designed. It was always intended that the RA EMail is the only primary key that identifies the RA. This is done is all visual grids, in the REST API, even in the FreeOID registry. We cannot change that in the core.

The only thing I can think of is that the "change email address" API is called in order to definitively change the email address of the RA (in the RA, OID, and Log table). Not sure how to detect if the address would change or not.

Easy way suggestion (please always think about easy solutions first!): If the user wants to change their email address, then they first shall login with the old address, and use the change-email-feature. After that, they can change their email address at their OAuth-enabled provider, and login with the new address at OIDplus. This way we do not need to change or add anything to OIDplus.

@wehowski
Copy link
Collaborator Author

wehowski commented Jan 24, 2025

Sorry, you misunderstood me!

I do NOT want to change email adress!

I want only to change the relation between OAuth Provider Account and OIDplus account! (by an extra table!)

Not it is:

  • (OAuth)provider-email <--> OIDplus-email

I want to change it to

  • (OAuth) provider + provider_user_id <--> OIDplus-RA-ID (internal _ra table!)

This way the user change emails at OIDplus and the OAuht provider and the relation stays correct and the user still can login with the OAuth provider!!!

Other OAuth logins work this way.

@danielmarschall
Copy link
Owner

The OID table and all modules are expecting the RA email as primary key. If the OIDplus email is what you define as "OIDplus-RA-ID", then I understand.

As long as you introduce this extra table only for your plugin, it is okay. Unfortunately, it is not possible to bundle it to the Core unless the table is compatible with all supported DBMS slangs (PostgreSQL, Sqlite, Access, MySQL, etc.), this is why extra tables are very hard to do in OIDplus.

@wehowski
Copy link
Collaborator Author

The OID table and all modules are expecting the RA email as primary key. If the OIDplus email is what you define as "OIDplus-RA-ID", then I understand.
The RA Table has an AI PRIMARY id which do not change, I think I can use it for the relation as it is used for the OAuth-Relation only.
The RA-Email can be changed and so SHOULD NOT be used as primary key!!!
I refer to the key of the internal DB, if the mail is key for the global OID it is ok, but NOT for an internal primary database key which is not supposed to change!?!

@wehowski
Copy link
Collaborator Author

... Nachtrag : OID key for Owner !== RA ID for user
!?!

@danielmarschall
Copy link
Owner

OID Table contains ra_email instead of ra_id, this is one reason why the email field the ra table has an Unique (and for other DBMSs also ForeignKey) constraint.

Sorry, I cannot change the Core structure at this point.

So, did you really think about all the use cases? What if someone uses an OAuth provider and change their OAuth email address with an address that exists at OIDplus with a different RA, but not the one that is connected with your provider_user_id ?

Please do what you think is correct. I can just give the friendly advice to think about the easiest solution first, and try to think about realistic use-cases. How likely is it, that someone uses OAuth, and use OIDplus, and change their email adress and/or have a different email adress for OAuth Provider and OIDplus? I think the chance that all 3 apply is near 0.

@wehowski
Copy link
Collaborator Author

So, did you really think about all the use cases? What if someone uses an OAuth provider and change their OAuth email address with an address that exists at OIDplus with a different RA, but not the one that is connected with your provider_user_id ?

OAuth sends an user ID from the provider and the RA table has an ID.

For this use case there is no reaason to use email as key, email can be changed.

Please do what you think is correct.
Yes.
I will implement it as soon as I have time, there is no need to change OIDplus core code for this.
I know this will work because I used it in so many other implementations successfully, e.g. for elgg https://webfan.de/install/?source=Webfan\ElggPatch\Controller\Connect

@danielmarschall
Copy link
Owner

there is no need to change OIDplus core code for this.

Thanks. This relieves me.

elgg https://webfan.de/install/?source=Webfan\ElggPatch\Controller\Connect

I have no idea what this is, but please please please use code-formatter tools to at least fix the indentation! :-)

@danielmarschall danielmarschall added the third-party Ideas and Requests for third-party tools and plugins label Jan 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
idea Ideas third-party Ideas and Requests for third-party tools and plugins
Projects
None yet
Development

No branches or pull requests

2 participants