[BUG] Google oauth doesn't allow access to new users

getfider / fider

Open platform to collect and prioritize feedback

https://fider.io

GNU Affero General Public License v3.0

2.87k stars 627 forks source link

[BUG] Google oauth doesn't allow access to new users #1116

Closed Leen15 closed 1 year ago

Leen15 commented 1 year ago

Fider Cloud or Self Hosted Self Hosted Fider, version 0.21.1

Describe the bug We are testing Fider in private mode enabling the google oauth provider. We expect that any user can access the service using the oauth provider as specified in the description of the privacy mode: A private site prevents unauthenticated users from viewing or interacting with its content. When enabled, only already registered users, invited users and users from trusted OAuth providers will have access to this site. Instead, only oauth users that match with the email of manually added users can login.

I don't know if it's the reason, but I found a PR ( #1068 ) that should allow oauth providers to be set as "trusted" BUT it seems that system providers are not set as "Trusted" by default and there is no way to change them (it's hardcoded): https://github.com/getfider/fider/blob/44958bf98a4ca417b9852ebd2cf2fd42a9b4508c/app/services/oauth/oauth.go#L83

Any help on this? Thanks

goenning commented 1 year ago

Hey @Leen15 this is actually expected.

if we set google/facebook/github as Trusted, then any user from this platform would be able to sign in to the private site.

Trusted providers are meant to be used only on custom OAuth to allow only some users, this is most commonly used to restrict a private site to employees only

Leen15 commented 1 year ago

Thank you @goenning , I understand your pov. Unfortunately this totally exclude the option to use Google oauth with internal applications, commonly used by companies to allow oauth access to only users with a specific company domain. Also, this exclude the option to use fider only after a signup (but without the need to manually invite users) avoiding anonymous users to use the service.

goenning commented 1 year ago

Are you using Google Workspaces? You should then use custom OAuth and just enter your details there.

The system OAuth is for public access.

Leen15 commented 1 year ago

Are you using Google Workspaces? You should then use custom OAuth and just enter your details there.

The system OAuth is for public access.

Yes we are, but we cannot find any example to set up it with a custom OAuth in Fider (https://fider.io/docs/configuring-oauth). Usually we only have to set up ClientID and the Secret for a google login. Can you give us a hit about what should we set in every field with Google provider?

Leen15 commented 1 year ago

If somebody else needs to do the same, this is the configuration to set Google as a custom OAuth Provider:

Create a "OAuth 2.0 Client ID" in Google Cloud Console, leave the "Authorised redirect URIs" empty.

Create a new OAuth Provider in Fider and set as follow:

Client ID: <provided by google>
Client Secret: <provided by google>
Authorize URL: https://accounts.google.com/o/oauth2/auth
Token URL: https://oauth2.googleapis.com/token
Scope: https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Profile API URL: https://www.googleapis.com/oauth2/v1/userinfo?alt=json
Trusted Source: Yes
Status: Enabled

Press save, then get the Callback URL provided by Fider and set it in the "Authorised redirect URIs" in Google Cloud Console.

You should now be able to access using google.