search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

Identity provider does not prevent user registration #738

Open soullivaneuh opened 4 years ago

soullivaneuh commented 4 years ago

Identity provider does not prevent user registration

Description

If a not registered user use an identity provider to authenticate, is account will be created regardless the given configuration.

Our apps are not open for registration yet and are configured for it. It should not accept registration from identity providers too.

Affects versions

v1.17.5

Steps to reproduce

  1. Create and enabled an identity provider (for my case Google) without the "Create registration" option (see capture 1).
  2. Ensure your application didn't enable self-registration (see capture 2).

Expected behavior

User self-registration trough identity provider should be prevented.

Screenshots

Capture 1:

image

Capture 2:

image

Additional context

This is may be a wrong configuration on my side, but I really don't see what else to solve my issue.

mooreds commented 4 years ago

Hiya,

Are you seeing a registration being created for your application, or just a user being created? That is, when you view the user details page for the user who authenticated via Google, do you see anything under the 'Application' tab?

If only a user is created, then this may be a helpful thread to read: https://fusionauth.io/community/forum/topic/5/can-you-limit-a-user-s-login-authentication-access-to-applications-within-a-single-tenant Plus we should probably update the documentation.

If the registration is being created, that's definitely a bug.

Thanks!

soullivaneuh commented 4 years ago

A new user is created, but I'm not sure what you mean by "for your application".

The new user seems to end to a page like this:

image

Does it help?

mooreds commented 4 years ago

Ah, can you show me a screencap of the admin ui for this user's details page? Here's an example:

Screen Shot 2020-07-10 at 9 07 02 AM

(Also, I misspoke, it is the 'Registrations' tab, not the 'Application' tab.)

robotdan commented 4 years ago

That is working as designed. The user will be created, but not registered.

The way we approach is is that when you enable an identity provider you're indicating that this external provider is an additional SoR (Source of Record). When the user successfully logs into this provider such as Google, Google has told us the user exists and their credentials are valid. In return we accept this source or record into FusionAuth (create the user).

Next we identify if the configuration allows us to automatically register (provide authorization) for the requested application. In this case, it does not so the user is not registered. When the use is then redirected to the FusionAuth admin page, we identify the user is not authorized for the action and you see the message in the screenshot.

We could add a feature which would indicate for a particular IdP - the user has to already have a user configured in FusionAuth ahead of time. In most cases, this is not the ideal, but if you would like to see this, please open a feature request.

soullivaneuh commented 4 years ago

Thanks for the detailed explanation.

We could add a feature which would indicate for a particular IdP - the user has to already have a user configured in FusionAuth ahead of time. In most cases, this is not the ideal, but if you would like to see this, please open a feature request.

So if I well understand, I can't prevent this directly with FusionAuth?

In that case yes, can we consider this issue as a feature request then? This is exactly what I need. :+1:

This feature will be useful for semi-internal/internal web app with controlled user flow.

soullivaneuh commented 4 years ago

One more thing I'm not sure to understand: Why is the purpose to prevent registration creation if the user can still authenticate with Google and then leading to a not helpful error page? :thinking:

voidmain commented 4 years ago

I think the error message is what you are looking for. Here's what I think you require:

You have an application that is locked down - meaning that an admin needs to grant users permissions to it in order for them to access it. However, you want to leverage an external system, such as G-Suite, to authentication users. Therefore, FusionAuth needs to display some type of error message once the user logs in with Google to let the user know that they don't have permissions to your locked down application.

Or am I missing the use case?

soullivaneuh commented 4 years ago

It looks like, yes, but like for https://github.com/FusionAuth/fusionauth-issues/issues/632, I can't do anything from fusion auth to personalize the behavior.

hatrg commented 2 months ago

I also have a similar need of a configuration to enable user creation or not, as in our system, user creation is very specific and the user has to be invited, SSO is just another convenient way for the user to login provided that their account already existed via the process of invitation.

hatrg commented 2 months ago

OK I just found out about this: https://fusionauth.io/docs/lifecycle/authenticate-users/identity-providers/#linking-strategies

This is perfect for my use case now.