🚀 Feature: Read group memberships from OAuth provider and allow to restrict access based on membership #506
Comments
|
This is best combined with #489 (a configuration option disabling password login), so that users cannot circumvent missing access rights by setting a password and signing in with it. |
stonith404
changed the title
|
Isnt the app free/open source? |
@RahulMishra0722 Of course, meaning that—among other things—anyone is free to use its source code to run their own instance of it. But anyone running their own instance may want to restrict access to it, e.g. to only make it available to their family and friends and not to the general public (just like Linux is free software, but not anyone is free to log on to every Linux computer). This already works by disabling the “Allow registration” setting. This issue aims to allow registration and authentication only for certain users on an instance configured that way: those who were given a specific access right by an external OAuth provider. |
|
Thanks for that well defined and intuitive explanation @marvinruder i had the wrong idea about this |
🔖 Feature description
For an OAuth provider, one can configure a list of groups. The group memberships of a user are read during authentication. If groups are configured for the provider and a user attempts to authenticate without being a member of any configured group, authentication fails, disallowing an existing user to sign in using the OAuth provider and disallowing a new user to register at all.
Optionally, a group or list of groups can be configured, where a membership in one of them is required for users to have administrative rights. The administrative rights flag is automatically updated at every OAuth login based on the current group membership status.
🎤 Pitch
I have many users configured in my OAuth provider but would like to allow access to Pingvin Share to only a subset of them.
The text was updated successfully, but these errors were encountered: