UX Optional Password & Captcha for External Registration #5029
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5029 +/- ##
==========================================
+ Coverage 41.24% 41.24% +<.01%
==========================================
Files 464 464
Lines 62867 62893 +26
==========================================
+ Hits 25928 25939 +11
- Misses 33548 33561 +13
- Partials 3391 3393 +2
Continue to review full report at Codecov.
|
|
What is reason |
|
My view is that Captcha is the kind of thing you implement for local logins, not the kind of thing you enforce on delegated logins that you already trust, which already do that type of validation. For my instance (and I think most people would feel this way), I want the greatest protection from bots with the least friction for new users and I think local-only captcha strikes the right balance. |
|
(that said, some people may want it for some reason, so I didn’t want to nix it entirely) |
|
Is "OpenID" considered "External Registration" ?
Sorry but I'm a bit confused about the state of oAuth2 vs. OpenID(2)
implementations
|
TL;DR
ExplanationI haven't changed the behavior of OpenID(1) and it follows a different flow from OAuth2 in the code. As such I don't think that these changes affect the OpenID(1) flow. I don't want to pursue changing the OpenID(1) flow as part of this PR (it was never very well adopted and doesn't provide a lot of value in my opinion), but I'd be open to updating it as well later on. OpenID(2) aka OIDC aka OpenID Connect is actually not related to OpenID in any way. It's a strict subset of OAuth2 that actually defines important things like data format (JSON vs urlencoded), endpoint URLs, etc. It's not very well designed for personal use, in my opinion, so it doesn't really meet the original goal of OpenID (IndieAuth is probably better for that), but it is far better than OAuth2 for enterprise-style use and maintains perfect OAuth2 compatibility (which isn't hard seeing how OAuth2 doesn't define any of those things so there's nothing much to be "compatible" with other than the generic concept of "there's some handshakes"). |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
|
Thanks for working on this @solderjs !
The workflow is working fine for me. Clicking the link "Connect With OpenId Connect" on the login page redirect to our AzureAD that redirect to the "Add Account Recovery Info". If i enter a username, then everything is working fine inside Gitea. I do confirm ALLOW_ONLY_EXTERNAL_REGISTRATION is working, but you need to also to put DISABLE_REGISTRATION to false.
I think something is missaligned on the UI but is it an issue with #5006 ?
Keep up the good work. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
|
Is this work still ongoing ? I'd love to see OpenID-Connect with discovery enabled on try.gitea.io ... |
|
Please resolve the conflict |
| @@ -61,6 +63,8 @@ func newService() { | |||
| Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() | |||
| Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool() | |||
| Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool(false) | |||
| Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool() | |||
There was a problem hiding this comment.
| Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool() | |
| Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool(Service.EnableCaptcha) |
|
replaced by #6606 |
Re: #4226 and #3837
I see the primary purposes of external accounts as to increase security and convenience (which always go hand-in-hand).
If I have enabled external accounts, I should not require the user to weaken security by forcing them to create a (likely re-used) password.
Likewise, since I've already hand-picked the external account providers that I trust and want to allow, I should not reduce convenience by requiring a secondary captcha.
REQUIRE_EXTERNAL_REGISTRATION_PASSWORDREQUIRE_EXTERNAL_REGISTRATION_CAPTCHAALLOW_ONLY_EXTERNAL_REGISTRATIONSome other fixes that I want to get in, but may deserve separate PRs:
If you'd like to test it out
My pull request is against
master, but I run it as backport to v1.5.1 (includes #5006, #5029, #5033, #5034):I would not recommend replacing your existing gitea, but rather creating a symlink so that you can easily switch back if you don't like it. For example, if you keep
giteain/opt/gitea/bin:rsync -av ./gitea /opt/gitea/bin/gitea-v1.5.1-coolaj86 pushd /opt/gitea/bin mv gitea gitea-v1.5.1 ln -s gitea-v1.5.1-coolaj86 giteaI've run a couple of manual tests so far, so I feel comfortable with someone else trying it out. I won't be pushing any additional changes to that branch (such as the upcoming changes to address the empty checkboxes in the issue) until I've tested them in production for myself.