Show login type in Users page and allow converting from OIDC to built-in and back
#8346
Comments
|
The issue is if the builtin email and the oidc email do not match. You could reason someone sets their builtin email to In this case if an admin switches to OIDC and the OIDC email is The current feature in experimental resolves this by having the user authenticate with their password, then authenticate with OIDC and we can pair them on the BE. TBD what to do when the emails actually mismatch, but it does guarantee it is the same person. |
|
I see. How do you expect this to work with #7126? I suppose its less of a problem during creation?
I see. At this point, that seems like an irrecoverable state. Any ideas on how we work around it? I'm not sure if we should avoid it entirely so we can support cases where an admin adds OIDC and wants to "enforce" all users to use OIDC now. We have this, but then users are also unable to login --disable-password-auth bool, $CODER_DISABLE_PASSWORD_AUTH
Disable password authentication. This is recommended for security
purposes in production deployments that rely on an identity provider.
Any user with the owner role will be able to sign in with their
password regardless of this setting to avoid potential lock out. If
you are locked out of your account, you can use the `coder server
create-admin` command to create a new admin user directly in the
database. |
|
We also have a As for how does an admin create an oidc account, I think we'll have to do something similar to V1, or make them generate some code or token a user can use to signup. The switching back to |
Users page and allow converting from OIDC to build-in and backUsers page and allow converting from OIDC to built-in and back
|
@sharkymark I don't think it is as strong of a use case. OIDC is managed externally, user/pass is managed by the user. So when you convert to OIDC, you pass authentication to the deployment configuration. If you allow converting back, then the deployment IDP loses control of the user and potentially role/group sync. So although I see the demo case for converting back and forth, in practice I think only admins should convert a user back to password auth. |
Uh oh!
There was an error while loading. Please reload this page.
Let's do this in conjunction with #5002. Only a User Admin and above should see the lists of users and groups. Users should see what groups they are in from the "Accounts" dropdown. This also means User Admins should be the only ones who can configure what users/groups can access or modify templates.
In the
Userslist, add a row with the user's login type. @Emyrk explained that it may not be great to allow admins to convert between accounts since there may be an email mismatch. However, I don't think there are security risks (just an inconvenience) since the user would own both emails. To fix, the admin would need to convert back toOIDCtobuilt-inand allow the user to authenticate them myself. Perhaps I am misunderstanding though? I guess the security risk would be the admin set the wrong email for the built-in account which is not owned by the user. I think this is still acceptable unless there is evidence of this being handled differently in other enterprise products.We don't need this before we allow users to switch to OIDC themselves but is a good follow-up and was requested by a major customer.
The text was updated successfully, but these errors were encountered: