allow synchronizing user status from OAuth2 login providers #31572
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This leverages the existing `sync_external_users` cron job to synchronize the IsActive flag on users who use an OAuth2 provider set to synchronize. This synchronization is done by checking for expired access tokens, and using the stored refresh token to request a new access token. If the response back from the OAuth2 provider is the `invalid_grant` error code, the user is marked as inactive. However, the user is able to reactivate their account by logging in the web browser through their OAuth flow. Also changed to support this is that a linked `ExternalLoginUser` is always created upon a login or signup via OAuth2.
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/L
github-actions
bot
added
modifies/go
|
Backlinking to tracking issue #23794 |
6543
reviewed
Jul 11, 2024
6543
reviewed
Jul 12, 2024
6543
approved these changes
Jul 16, 2024
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Jul 17, 2024
* giteaofficial/main: [skip ci] Updated translations via Crowdin Allow searching issues by ID (go-gitea#31479) allow synchronizing user status from OAuth2 login providers (go-gitea#31572) Enable `no-jquery/no-class-state` (go-gitea#31639) Added default sorting milestones by name (go-gitea#27084)
silverwind
added a commit
to techknowlogick/gitea
that referenced
this pull request
Jul 23, 2024
* origin/main: (59 commits) fix OIDC introspection authentication (go-gitea#31632) Enable direnv (go-gitea#31672) [skip ci] Updated translations via Crowdin [skip ci] Updated translations via Crowdin fix redis dep (go-gitea#31662) add skip secondary authorization option for public oauth2 clients (go-gitea#31454) Fix a branch divergence cache bug (go-gitea#31659) [skip ci] Updated translations via Crowdin Remove unneccessary uses of `word-break: break-all` (go-gitea#31637) [skip ci] Updated translations via Crowdin Allow searching issues by ID (go-gitea#31479) allow synchronizing user status from OAuth2 login providers (go-gitea#31572) Enable `no-jquery/no-class-state` (go-gitea#31639) Added default sorting milestones by name (go-gitea#27084) Code editor theme enhancements (go-gitea#31629) Add option to change mail from user display name (go-gitea#31528) Upgrade xorm to v1.3.9 and improve some migrations Sync (go-gitea#29899) Issue Templates: add option to have dropdown printed list (go-gitea#31577) Fix update flake (go-gitea#31626) [skip ci] Updated translations via Crowdin ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This leverages the existing
sync_external_userscron job to synchronize theIsActiveflag on users who use an OAuth2 provider set to synchronize. This synchronization is done by checking for expired access tokens, and using the stored refresh token to request a new access token. If the response back from the OAuth2 provider is theinvalid_granterror code, the user is marked as inactive. However, the user is able to reactivate their account by logging in the web browser through their OAuth2 flow.Also changed to support this is that a linked
ExternalLoginUseris always created upon a login or signup via OAuth2.Notes on updating permissions
Ideally, we would also refresh permissions from the configured OAuth provider (e.g., admin, restricted and group mappings) to match the implementation of LDAP. However, the OAuth library used for this
goth, doesn't seem to support issuing a session via refresh tokens. The interface provides aRefreshTokenmethod, but the returnedoauth.Tokendoesn't implement thegoth.Sessionwe would need to callFetchUser. Due to specific implementations, we would need to build a compatibility function for every provider, since they cast to concrete types (e.g. Azure)