Closed col-panic closed 6 months ago
svenseeberg
commented
8 months ago Would it be possible to configure a direct oauth2 login forwarding? That is accessing https://my-redmine.service leads directly to the oauth idp and only https://my-redmine.service?auth=password shows the default login screen with alternatives?
This is basically the same issue as #28 with another approach to the solution?!
col-panic
commented
8 months ago Would it be possible to configure a direct oauth2 login forwarding? That is accessing https://my-redmine.service leads directly to the oauth idp and only https://my-redmine.service?auth=password shows the default login screen with alternatives?
This is basically the same issue as #28 with another approach to the solution?!
yes, and the means to still revert to password authentication if required!
col-panic
commented
6 months ago @svenseeberg I'm not sure if the following point is missing:
The problem At the moment, after authenticating via this plugin I still have to update the password and set the OTP - which is IMHO not as it should be. So a login via oauth should just skip the pages requiring you to re-set your password and configure an OTP (they should be enforced only if i authentication via redmine default path)
I'm just testing the development branch, and tightened the rules for password usage. So if I leave password authentciation enabled, but use oauth authorization - then the request to update the password should be skipped! It should only be presented when logging in via username/password.
... test ongoing
col-panic
commented
6 months ago It seems to be still the case: If I login via redmine_oauth then I am still required to change the current password.
@picman could this be disabled?
picman
commented
6 months ago I've modified the plugin in order to skip 2FA initialization request and password change request if authentication is via OAuth. If you can, please test the devel branch.
col-panic
commented
6 months ago Thanks @picman that works just perfect! I set very tight rules, and now logging in with username/password shows the requirement to update those values, while the oauth plugin directly works!
The IS situation After installing this plugin I want users to authenticate via it.
I did not find a way to disable password login, and I also want to keep it. So in order to provide an incentive for the users to use the oauth login, I tighten direct username/password rules massively. That is: password has to be changed every 7 days, it has to be at least 12 chars long and you have to use OTP. BUT using this oauth login should not force you to do any of this.
The problem At the moment, after authenticating via this plugin I still have to update the password and set the OTP - which is IMHO not as it should be. So a login via oauth should just skip the pages requiring you to re-set your password and configure an OTP (they should be enforced only if i authentication via redmine default path)
Other questions
Thanks for your great plugin!
remark: https://www.redmine.org/issues/37363