Closed xMAC94x closed 2 years ago
zorn-v
commented
2 years ago However this guarantee does not work. Usernames could be precreated
Let's say it is not "guarantee", but "reducing the probability"
or just no prefix at all
And random user from untrusted source can become admin. Cool :smile:
xMAC94x
commented
2 years ago or just no prefix at all
And random user from untrusted source can become admin. Cool smile
One could prob select the Default Group "admin" somewhere and create chaos too. I am for security by default sure, but when someone uses this awesome plugin for their private cloud to allow their custom OpenID Connect backend one could assume (hope) they know what they are doing and do not allow the creation of a admin user in their OpenID backend. Maybe though this field should only be visible for the custom OAuth and OpenID and not the ones from google, facebook ...
zorn-v
commented
2 years ago but when someone uses this awesome plugin for their private cloud
You forget that not only "private" may be in couple with private/almost private etc.
Try to use this fork which was made for "private clouds" as I suppose https://apps.nextcloud.com/apps/oidc_login
currently all sociallogin created users have their provider as a prefix. AFAIK the reason for this was to guarantee that usernames are always unambiguous. However this guarantee does not work. Usernames could be precreated, e.g.
keycloak-foobefore we log in with thefoouser via keycloak. So how about making this prefix customizeable rather than have it always fixed to provider. I would propose an additional flag in "Custom OpenID Connect" where one could specify a UserPrefix keycloak- and GroupPrefix keycloak- or just no prefix at all, what speaks against this proposal ?