OAuth Login Plugins

[wehowski]

Just a note:
Regarding Logon with Webfan, Login with Google Plugins:
Emails can change, so instead of linking the ra-mail to the provider-email we MUST link the provider-provider-user-id with the RA-ID!
An extra table is needed, I will write a generic OAuth Plugin instead one Plugin for each provider...

[danielmarschall]

Sorry, but this would significantly impace the whole way the core is designed. It was always intended that the RA EMail is the only primary key that identifies the RA. This is done is all visual grids, in the REST API, even in the FreeOID registry. We cannot change that in the core.

The only thing I can think of is that the "change email address" API is called in order to definitively change the email address of the RA (in the RA, OID, and Log table). Not sure how to detect if the address would change or not.

Easy way suggestion (please always think about easy solutions first!): If the user wants to change their email address, then they first shall login with the old address, and use the change-email-feature. After that, they can change their email address at their OAuth-enabled provider, and login with the new address at OIDplus. This way we do not need to change or add anything to OIDplus.

[wehowski]

Sorry, you misunderstood me!

I do NOT want to change email adress!

I want only to change the relation between OAuth Provider Account and OIDplus account! (by an extra table!)

Not it is:

• (OAuth)provider-email <--> OIDplus-email

I want to change it to

• (OAuth) provider + provider_user_id <--> OIDplus-RA-ID (internal _ra table!)

This way the user change emails at OIDplus and the OAuht provider and the relation stays correct and the user still can login with the OAuth provider!!!

Other OAuth logins work this way.

[danielmarschall]

The OID table and all modules are expecting the RA email as primary key. If the OIDplus email is what you define as "OIDplus-RA-ID", then I understand.

As long as you introduce this extra table only for your plugin, it is okay. Unfortunately, it is not possible to bundle it to the Core unless the table is compatible with all supported DBMS slangs (PostgreSQL, Sqlite, Access, MySQL, etc.), this is why extra tables are very hard to do in OIDplus.

[wehowski]

The OID table and all modules are expecting the RA email as primary key. If the OIDplus email is what you define as "OIDplus-RA-ID", then I understand.
The RA Table has an AI PRIMARY id which do not change, I think I can use it for the relation as it is used for the OAuth-Relation only.
The RA-Email can be changed and so SHOULD NOT be used as primary key!!!
I refer to the key of the internal DB, if the mail is key for the global OID it is ok, but NOT for an internal primary database key which is not supposed to change!?!

[wehowski]

... Nachtrag : OID key for Owner !== RA ID for user
!?!

[danielmarschall]

OID Table contains ra_email instead of ra_id, this is one reason why the email field the ra table has an Unique (and for other DBMSs also ForeignKey) constraint.

Sorry, I cannot change the Core structure at this point.

So, did you really think about all the use cases? What if someone uses an OAuth provider and change their OAuth email address with an address that exists at OIDplus with a different RA, but not the one that is connected with your provider_user_id ?

Please do what you think is correct. I can just give the friendly advice to think about the easiest solution first, and try to think about realistic use-cases. How likely is it, that someone uses OAuth, and use OIDplus, and change their email adress and/or have a different email adress for OAuth Provider and OIDplus? I think the chance that all 3 apply is near 0.

[wehowski]

So, did you really think about all the use cases? What if someone uses an OAuth provider and change their OAuth email address with an address that exists at OIDplus with a different RA, but not the one that is connected with your provider_user_id ?

OAuth sends an user ID from the provider and the RA table has an ID.

For this use case there is no reaason to use email as key, email can be changed.

Please do what you think is correct.
Yes.
I will implement it as soon as I have time, there is no need to change OIDplus core code for this.
I know this will work because I used it in so many other implementations successfully, e.g. for elgg https://webfan.de/install/?source=Webfan\ElggPatch\Controller\Connect

[danielmarschall]

there is no need to change OIDplus core code for this.

Thanks. This relieves me.

elgg https://webfan.de/install/?source=Webfan\ElggPatch\Controller\Connect

I have no idea what this is, but please please please use code-formatter tools to at least fix the indentation! :-)