search

FriendsOfFlarum / oauth

Allow users to log in with GitHub, Twitter, Facebook, and more!
https://discuss.flarum.org/d/25182
MIT License
42 stars 14 forks source link

Allow to apply group membership #31

Closed georgkrause closed 3 weeks ago

georgkrause commented 3 years ago

Feature Request

Is your feature request related to a problem? Please describe.

We have several tools we use and I don't want to update permissions of all our members for each platform. This is why I want to have a Single Source of Truth for the permissions. Currently we use this for Gitlab + Nextcloud with the Nextcloud Social Login Plugin. I would like to have the same behavior for Flarum.

Describe the solution you'd like

The solution is quite easy: When authenticating via Gitlab Login, we ask for the set of groups. The plugin configuration contains some group mappings (eg Gitlab Group -> Flarum Group). The plugin checks if the user is part of a Gitlab group where a mapping exists and applies the Flarum groups.

The source code for the same thing for Gitlab and Nextcloud is already available: https://github.com/zorn-v/nextcloud-social-login/blob/master/lib/Provider/CustomOAuth2.php Their implementation is quite general and maybe it can be a little more specific? Not sure.

Describe alternatives you've considered

One could use ldap or do it manually, but both is no fun.

I can offer to work on this. I am opening this anyway since I want to start a discussion to see if you are interested! Let me know!

clarkwinkelmann commented 3 years ago

The problem is that this extension is only reacting to logins and registrations.

Syncing groups would likely require some sort of webhooks so a change in the source is applied in Flarum immediately. If it only syncs during new logins there's a good chance it wouldn't fit a lot of the use cases.

Because of that I'd see it a lot more suited for a dedicated auth extension just for that particular provider.

I have implemented a similar feature in my Wordpress extension where user attributes are synced between Wordpress and Flarum, and it's not a generic thing that can be automatically applied to all platforms. It requires a unique implementation for each one and also needs some settings for situations like deletion of a user in the source.

What was your idea for the implementation? How would updates be synced, and do you think there's a way to generalize this for multiple auth providers? Right now we only have GitLab that might have some sort of groups.

georgkrause commented 3 years ago

I don't think its a huge problem that groups only get updated on login. This is exactly how the nextcloud social login does it and works fine.

If you check the nextcloud plugin implementation, you see there is a way to make it quite generic. You can specify a claim, which is basically a field in the data which is provided by the oauth mechanism. This could be groups in case of Gitlab, but could be role for a different software or whatever the mechanism to control permissions is called.

If you say this is out of scope, this is fine for me, too. In this case I will probably start working on implementing it in another plugin.

DavideIadeluca commented 3 weeks ago

Thanks @georgkrause for your feature request. While I think it's an interesting proposition, I have to agree with @clarkwinkelmann in that it would be better suited to include this additional functionality in a separate extension on a case-by-case basis.