Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

  •  
     
    story #9658 log in into a Tuleap instance using only an OpenID Connect provider
Summary
user
log in into a Tuleap instance using only an OpenID Connect provider
The log in and register flows are easier to comprehend and use.
  • It is possible to choose an OpenID Connect as the unique authentication provider for the Tuleap instance
  • When an OpenID Connect provider is selected as the unique authentication provider:
    • Register link in navbar is replaced by a Sign In link
    • Log in link in the navbar does not exist
    • Login form in the homepage is not displayed
    • Existing register page (register.php) is not accessible
    • Existing login page (login.php) is still accessible but nothing should link to this page
    • Users can not unlink their Tuleap from the OpenID Connect provider
    • A user can set/modify a password for his account without knowing the old one (since the old one can not exist if the user has been registered through OpenID Connect). This way the services relying on a password authentication can still work (Git HTTP, Subversion...)
  • If a user try to authenticate and his account does not exist on the Tuleap instance, a new user account is created automatically. If the same email is found in the database you got the usual link page you have when you connect for the first time with a OpenID Connect provider.
By Marine Pieux (nynoe)
(157 kB)
site-admin-plugins-openid-connect-add-provider.png
By Marine Pieux (nynoe)
(171 kB)
site-admin-plugins-openid-connect.png
By Marine Pieux (nynoe)
(177 kB)
site-admin-plugins-openid-connect-delete-provider.png
By Marine Pieux (nynoe)
(115 kB)
site-admin-plugins-openid-connect-empty.png
Empty
Status
Empty
Done
Development
  • [x] Does it involves User Interface? 
  • [x] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [x] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
  • The claims profile and email must be requested to the OpenID Connect provider so we can get the name, family name and email of the user to create the user account
  • Password fields in the user table can be set to NULL, we need to verify the behavior of :
    • REST
    • SOAP
    • login.php page
    • Git over HTTP
    • SVN
    • Unix authentication (SSH for example)
    • OpenFire (needed?)
Details
#9658
Thomas Gerbet (tgerbet)
2016-12-05 14:59
2016-11-15 12:06
9936

References
Referencing story #9658

Artifact

request #13500 Disable password change UI when using OpenID Unique Authentication Source
epic #8629 OAuth2 & OpenId Connect
rel #9570 9.2
Display settings

Follow-ups

User avatar
Thomas Gerbet (tgerbet)2016-11-15 15:39
  • So that
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Technical informations
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
Marine Pieux (nynoe)2016-11-15 12:10
  • Attachments site-admin-plugins-openid-connect-unique-provider.sketch removed