diff options
| author | Martin Michaelis <code@mgjm.de> | 2021-04-14 14:02:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-14 14:02:12 +0200 |
| commit | 55eb1745bd5427c6f84f77703a580d580ac379b3 (patch) | |
| tree | 679159c231cfbd27e37049e713d0b1fa6d5a763e /docs/content | |
| parent | ca2e1d8090ee9450bd47e5518eb515a9ee1e1475 (diff) | |
| download | gitea-55eb1745bd5427c6f84f77703a580d580ac379b3.tar.gz gitea-55eb1745bd5427c6f84f77703a580d580ac379b3.zip | |
OAuth2 auto-register (#5123)
* Refactored handleOAuth2SignIn in routers/user/auth.go
The function handleOAuth2SignIn was called twice but some code path could only
be reached by one of the invocations. Moved the unnecessary code path out of
handleOAuth2SignIn.
* Refactored user creation
There was common code to create a user and display the correct error message.
And after the creation the only user should be an admin and if enabled a
confirmation email should be sent. This common code is now abstracted into
two functions and a helper function to call both.
* Added auto-register for OAuth2 users
If enabled new OAuth2 users will be registered with their OAuth2 details.
The UserID, Name and Email fields from the gothUser are used.
Therefore the OpenID Connect provider needs additional scopes to return
the coresponding claims.
* Added error for missing fields in OAuth2 response
* Linking and auto linking on oauth2 registration
* Set default username source to nickname
* Add automatic oauth2 scopes for github and google
* Add hint to change the openid connect scopes if fields are missing
* Extend info about auto linking security risk
Co-authored-by: Viktor Kuzmin <kvaster@gmail.com>
Signed-off-by: Martin Michaelis <code@mgjm.de>
Diffstat (limited to 'docs/content')
| -rw-r--r-- | docs/content/doc/advanced/config-cheat-sheet.en-us.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index f1c5bf1b8e..9bafee846f 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -429,6 +429,21 @@ relation to port exhaustion. - `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching OpenID URI's to block. +## OAuth2 Client (`oauth2_client`) + +- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section) +- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added) +- `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users. +- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts: + - userid - use the userid / sub attribute + - nickname - use the nickname attribute + - email - use the username part of the email attribute +- `UPDATE_AVATAR`: **false**: Update avatar if available from oauth2 provider. Update will be performed on each login. +- `ACCOUNT_LINKING`: **disabled**: How to handle if an account / email already exists: + - disabled - show an error + - login - show an account linking login + - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.) + ## Service (`service`) - `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration. |