Oauth2_client ENABLE_AUTO_REGISTRATION configuration

[kzinas-adv]

• Gitea version (or commit ref): 1.15.0
• Operating system: Centos 8
  -->
• Database (use [x]):
  • [x ] SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • [x ] No

HI,

I want to use only SSO/oauth2 from google for authentication: no gitea local accounts, no anonymous external users,
Only users in my google organization should be able to login AS WELL new users in my google organization should be able
auto sign-in to gitea.
I suppose [oauth2_client] ENABLE_AUTO_REGISTRATION is just for this purpose.
But it does not work. Maybe you have ideas?
My config:

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true

[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
USERNAME = email
ACCOUNT_LINKING = auto

...

[kzinas-adv]

PR which implements this code #5123

[zeripath]

Have you added an oauth2 authentication source?

[kzinas-adv]

Yes through https://git.mysite.com/admin/auths it works for year or smth, only if you manually link accounts through GUI.
I mean local gitea account link to google account
My intention is to avoid this step.

[zeripath]

Ah I think this is a duplicate of #16831.

Did you do a gitea dump from a version of gitea 1.14.3-1.14.6 and then restore?

If so the problem is that the config of your local source has been broken - but this would also affect your repo units too.

[kzinas-adv]

Hi,

No it was just binaries upgrade. from 1.14.6 to 1.15.0. Should do dump / re-import for such upgrade?
And google SSO is working fine, except that new feature, which should be working (auto registration through your google organization aka through oauth2 login).

[zeripath]

No it was just binaries upgrade. from 1.14.6 to 1.15.0.

OK.

Should do dump / re-import for such upgrade?

No you should not need to do. In fact if you had there would have been a problem.

And google SSO is working fine, except that new feature, which should be working (auto registration through your google organization aka through oauth2 login).

The issue is that DISABLE_REGISTRATION is disabling the autoregistration.

gitea/routers/web/user/auth.go

Line 621 in ded438f

if !(setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration) && setting.OAuth2Client.EnableAutoRegistration {

[kzinas-adv]

OK it is working, but need option smth like ALLOW_ONLY__OAUTH2_REGISTRATION, because now if I allow DISABLE_REGISTRATION = false, ALLOW_ONLY_EXTERNAL_REGISTRATION it is possible totally external users, from the same OAuth2 provider to register in my gitea.
For example google user which is not my google organization, any google user.
Do I miss something or is this new feature request?

[service]
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = true
REGISTER_MANUAL_CONFIRM           = true
ENABLE_CAPTCHA                    = true
REQUIRE_SIGNIN_VIEW               = false
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING       = true

[oauth2_client]
ENABLE_AUTO_REGISTRATION          = true
USERNAME                          = email
ACCOUNT_LINKING                   = disabled

For Oauth2 implementations on other products have smth like:
Google OAuth2 Allowed Domains = "mydomain.com"

[kzinas-adv]

Not exactly that, but it works:

[service]
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = true
REGISTER_MANUAL_CONFIRM           = true
ENABLE_CAPTCHA                    = true
REQUIRE_SIGNIN_VIEW               = false
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = mydomain.com
EMAIL_DOMAIN_WHITELIST            = "mydomain.com"

[oauth2_client]
ENABLE_AUTO_REGISTRATION          = false
USERNAME                          = email
ACCOUNT_LINKING                   = disabled

[wxiaoguang]

Stale and out-dated

The code has changed a lot