🚀 Feature: Read group memberships from OAuth provider and allow to restrict access based on membership

stonith404 / pingvin-share

A self-hosted file sharing platform that combines lightness and beauty, perfect for seamless and efficient file sharing.

BSD 2-Clause "Simplified" License

2.46k stars 181 forks source link

🚀 Feature: Read group memberships from OAuth provider and allow to restrict access based on membership #506

Open marvinruder opened 2 weeks ago

marvinruder commented 2 weeks ago

🔖 Feature description

For an OAuth provider, one can configure a list of groups. The group memberships of a user are read during authentication. If groups are configured for the provider and a user attempts to authenticate without being a member of any configured group, authentication fails, disallowing an existing user to sign in using the OAuth provider and disallowing a new user to register at all.

Optionally, a group or list of groups can be configured, where a membership in one of them is required for users to have administrative rights. The administrative rights flag is automatically updated at every OAuth login based on the current group membership status.

🎤 Pitch

I have many users configured in my OAuth provider but would like to allow access to Pingvin Share to only a subset of them.

marvinruder commented 2 weeks ago

This is best combined with #489 (a configuration option disabling password login), so that users cannot circumvent missing access rights by setting a password and signing in with it.

RahulMishra0722 commented 1 week ago

Isnt the app free/open source?

marvinruder commented 1 week ago

Isnt the app free/open source?

@RahulMishra0722 Of course, meaning that—among other things—anyone is free to use its source code to run their own instance of it. But anyone running their own instance may want to restrict access to it, e.g. to only make it available to their family and friends and not to the general public (just like Linux is free software, but not anyone is free to log on to every Linux computer). This already works by disabling the “Allow registration” setting.

This issue aims to allow registration and authentication only for certain users on an instance configured that way: those who were given a specific access right by an external OAuth provider.

RahulMishra0722 commented 1 week ago

Thanks for that well defined and intuitive explanation @marvinruder i had the wrong idea about this

marvinruder commented 4 days ago

@stonith404 Would you accept a PR implementing this feature? I can work on this, but only want to put in the effort if I know that this idea is not misaligned with the direction of this project.

stonith404 commented 2 days ago

@marvinruder Yeah, I think that's a good idea. Do you have a specific provider in mind or would you create an implementation for all supported providers?