-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(oauth): Allow to skip grant step for selected applications #49670
Conversation
05a5de3
to
af256b9
Compare
040c8b3
to
cdd4dec
Compare
I added back grant step because I am not comfortable enough with oauth2 to understand if it can be skipped. |
Signed-off-by: Côme Chilliet <[email protected]>
Signed-off-by: Côme Chilliet <[email protected]>
Signed-off-by: Côme Chilliet <[email protected]>
Signed-off-by: Côme Chilliet <[email protected]>
Signed-off-by: Côme Chilliet <[email protected]>
… it does Signed-off-by: Côme Chilliet <[email protected]>
6817f55
to
75f8bb5
Compare
@@ -8,6 +8,7 @@ | |||
*/ | |||
namespace OCA\OAuth2\Controller; | |||
|
|||
use OC\Core\Controller\ClientFlowLoginController; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙈
I'm late to the party.
As long as this can only be enabled with a hidden config, we can also skip the grant step IMO, even if this does not fully respects the oauth specs. I mean, if the goal is to have a transparent oauth flow from a user perspective, the grant step can be removed. |
Why not let the admin decide how they like to deal with both dialogues independently? Creating two individual arrays would give maximum flexibility. For example: What do you think? |
We talked about it and from security perspective that makes phishing attempts way too easy. A link could be crafted that when clicked directly grants the attacker access without any further interaction. |
Summary
skippedTo get the skipped version, I ran:
occ config:app:set oauth2 skipAuthPickerApplications --type array --value '["me"]'
, withme
being the name associated to my client inoc_oauth2_clients
table.TODO
Is client name the right thing to match against? (Especially, is that safe?)It should be good, clients (applications) are added and controlled by the admin.I supposeNot needed, oauth2 uses v1 onlyClientFlowLoginV2Controller
should be adapted as well? Why are there 2 of those?Why is there a step before login screen?It is now skipped as well for configured applications.Checklist