[5.x] OAuth: option not to create or update user during authentication

[miloslavkostir]

Problem

When implementing oAuth authentication, non-existent users are created (as unauthorized users).

I understand why that is. Normally, in applications, the user logs in with oAuth and registers directly. But I don't need this feature in the CMS administration.

We have corporate oAuth authentication, through which we authenticate in all corporate applications, and I don't want to have hundreds of unauthorized users in the "users" section of Statamic.

Solution

I suggest extending the statamic.oauth configuration option to disable/enable automatic user creation and update.

Usage

Just add config options to the config/statamic/oauth.php:

'create_user' => true,
'merge_user_data' => true,

In case of unauthorized user there is the option to change redirect URL:

'unauthorized_redirect' => '/some-unauthorized-page'

Back compatibility

As you see in the src/Http/Controllers/OAuthController.php, default configuration values ​​do not change the behavior of the current version. So the user will be created and his data will be merged.

[miloslavkostir]

Doc issue: statamic/docs#1464

[jasonvarga]

Are you using a custom guard?

[miloslavkostir]

Are you using a custom guard?

Not for logging into the control panel. I know I can create my own controller. But on the other hand, I think the auto-create feature could be configurable. Until I implement oAuth I create users manually, after implementing oAuth this process will change and (unauthorized) users will be created uncontrollably.

[jasonvarga]

So if you don't have a custom guard... when someone tries to use OAuth to log into Statamic and you choose not to create a user account, nothing happens. You aren't logged in.

I must be missing something?

[miloslavkostir]

No, when someone tries to use OAuth to log into Statamic, he is redirected to the OAuth authentication site. There he is authenticated and he is returned to Statamic. In Statamic callback URL (oauth/{provider}/callback) the user would not be created (not created yaml file in users dir or, in my case, not created in DB). However, the user's identity would be saved in the session.

Without OAuth:
Admin creates user manually in CP. The user tries to log into Statamic via email and password.

• If he doesn't exist, he is not created and access is denied
• If he exists and fills in the right password, access allowed

With OAuth now:
Admin creates user manually in CP. The user tries to log into Statamic via OAuth, there he is authenticated and he is returned back:

• If he doesn't exist, he is created, access is allowed, but he is unauthorized (this can be unwanted)
• If he exists, access is allowed

Result: there can be thousands of unauthorized users in the CP users section.

With OAuth as I suggested:
Admin creates user manually in CP. The user tries to log into Statamic via OAuth, there he is authenticated and he is returned back:

• If he doesn't exist, he is not created, access is denied (same as "without OAuth")
• If he exists, access is allowed (same as "without OAuth")

Result: in the CP users section there are only those users created by the admin