Closed xMAC94x closed 2 years ago
However this guarantee does not work. Usernames could be precreated
Let's say it is not "guarantee", but "reducing the probability"
or just no prefix at all
And random user from untrusted source can become admin. Cool :smile:
or just no prefix at all
And random user from untrusted source can become admin. Cool smile
One could prob select the Default Group "admin" somewhere and create chaos too. I am for security by default sure, but when someone uses this awesome plugin for their private cloud to allow their custom OpenID Connect backend one could assume (hope) they know what they are doing and do not allow the creation of a admin user in their OpenID backend. Maybe though this field should only be visible for the custom OAuth and OpenID and not the ones from google, facebook ...
but when someone uses this awesome plugin for their private cloud
You forget that not only "private" may be in couple with private/almost private etc.
Try to use this fork which was made for "private clouds" as I suppose https://apps.nextcloud.com/apps/oidc_login
currently all sociallogin created users have their provider as a prefix. AFAIK the reason for this was to guarantee that usernames are always unambiguous. However this guarantee does not work. Usernames could be precreated, e.g.
keycloak-foo
before we log in with thefoo
user via keycloak. So how about making this prefix customizeable rather than have it always fixed to provider. I would propose an additional flag in "Custom OpenID Connect" where one could specify a UserPrefix keycloak- and GroupPrefix keycloak- or just no prefix at all, what speaks against this proposal ?