Authenticate against Google OAuth

Question

Authenticate against Google OAuth

rsyring opened this issue 4 years ago · comments

Create an option to have the app authenticate against Google OAuth with a domain filter.

The idea is that an administrator could create the account and then, instead of having a password, a user could login with Google OAuth from a list of approved domains.

If a user is on a list of approved domains, then they can only login with Google OAuth. They can not login with a password. They also can't change their email address (to then be able to set a password).

The idea being that at least Level 12 people wouldn't have to have passwords for these sites and we could remove their access by disabling their Google account.

Matt Lewellyn · Answer 1 · Thu Feb 24 2022 05:38:31 GMT+0800 (China Standard Time)

I'll be using authlib to support this, as it is well-supported, and we're using it already to do our JWT tokens for user verification. We'll have a way to use OAuth while also allowing password login for a subset of users, and we'll also have a way to go directly to the OAuth target.

It's fair to point out that if a user has access to a server for deploying app updates, they'll be able to change their email address on the backend. But that does not negate the advantages.

authlib apparently supports bare OAuth as well as OIDC. It selects OIDC if the openid scope is requested. So, when the new implementation is ready to go, I'll mark the old OIDC stuff as deprecated and create an issue to remove it.

authlib also has a fair number of provider configurations for reference in their loginpass project (https://github.com/authlib/loginpass).

Okta isn't there, but it will work: https://devforum.okta.com/t/issue-with-python-authlib-and-content-type-header/12272/2
Keycloak isn't on the list either, but it appears someone has used it: https://stackoverflow.com/questions/68740263/how-to-configure-keycloak-for-superset-with-authlib

Matt Lewellyn · Answer 2 · Thu Feb 24 2022 21:58:42 GMT+0800 (China Standard Time)

@rsyring any interest in having an option for OAuth-authenticated users be auto-registered with a configured set of privileges? Or just enforce that somebody will be adding the user record regardless? It would be domain-locked, but it's not difficult to add a user, so I'm not sold on the usefulness of the idea.

Matt Lewellyn · Answer 3 · Fri Feb 25 2022 05:27:03 GMT+0800 (China Standard Time)

Profiles, domain filtering, locking edits when appropriate are all done, so I'll close this issue. If we want to look into setting up an auto-register that depends on the Google user's permissions/groups, we can do that in a separate issue.