Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

  •  
     
    story #9658 log in into a Tuleap instance using only an OpenID Connect provider
Actions
Summary
user
log in into a Tuleap instance using only an OpenID Connect provider
The log in and register flows are easier to comprehend and use.
  • It is possible to choose an OpenID Connect as the unique authentication provider for the Tuleap instance
  • When an OpenID Connect provider is selected as the unique authentication provider:
    • Register link in navbar is replaced by a Sign In link
    • Log in link in the navbar does not exist
    • Login form in the homepage is not displayed
    • Existing register page (register.php) is not accessible
    • Existing login page (login.php) is still accessible but nothing should link to this page
    • Users can not unlink their Tuleap from the OpenID Connect provider
    • A user can set/modify a password for his account without knowing the old one (since the old one can not exist if the user has been registered through OpenID Connect). This way the services relying on a password authentication can still work (Git HTTP, Subversion...)
  • If a user try to authenticate and his account does not exist on the Tuleap instance, a new user account is created automatically. If the same email is found in the database you got the usual link page you have when you connect for the first time with a OpenID Connect provider.
By Marine Pieux (nynoe)
(157 kB)
site-admin-plugins-openid-connect-add-provider.png
By Marine Pieux (nynoe)
(171 kB)
site-admin-plugins-openid-connect.png
By Marine Pieux (nynoe)
(177 kB)
site-admin-plugins-openid-connect-delete-provider.png
By Marine Pieux (nynoe)
(115 kB)
site-admin-plugins-openid-connect-empty.png
Empty
Status
Empty
Done
Development
  • [x] Does it involves User Interface? 
  • [x] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [x] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
  • The claims profile and email must be requested to the OpenID Connect provider so we can get the name, family name and email of the user to create the user account
  • Password fields in the user table can be set to NULL, we need to verify the behavior of :
    • REST
    • SOAP
    • login.php page
    • Git over HTTP
    • SVN
    • Unix authentication (SSH for example)
    • OpenFire (needed?)
Details
#9658
Thomas Gerbet (tgerbet)
2016-12-05 14:59
2016-11-15 12:06
9936

References
Artifact links
Empty
Referencing story #9658

Artifact Tracker v5

epic #8629 OAuth2 & OpenId Connect
rel #9570 9.2
request #13500 Disable password change UI when using OpenID Unique Authentication Source

Git commit

tuleap/tuleap/stable

We can set an OpenID Connect provider as the unique authentication endpoint in the database 79dd32cfed
User avatar Thomas Gerbet (tgerbet) , 2016-11-23 09:04
Request the scopes email and profile when the provider is the unique authentication endpoint 47fc6c7b04
User avatar Thomas Gerbet (tgerbet) , 2016-11-23 14:25
You can not unlink a provider defined has unique authentication endpoint from your user account 97cd7806c6
User avatar Thomas Gerbet (tgerbet) , 2016-11-23 14:22
A user can change his password without knowing the previous one 1488a57b7a
User avatar Thomas Gerbet (tgerbet) , 2016-11-23 16:09
Users should not be redirect to the login page when they are not authenticated aca043d9ea
User avatar Thomas Gerbet (tgerbet) , 2016-11-24 15:57
Only a login link to the provider is displayed in the navbar when this provider 733f06b70f
User avatar Thomas Gerbet (tgerbet) , 2016-11-25 09:56
Do not display the login form on the homepage if a provider b86d6aae01
User avatar Thomas Gerbet (tgerbet) , 2016-11-25 11:37
Disable register a user page when registration is not possible 4fcc4c2e26
User avatar Thomas Gerbet (tgerbet) , 2016-11-28 14:56
Directly register a user if a provider is configured as unique authentication endpoint 46a4407ea9
User avatar Thomas Gerbet (tgerbet) , 2016-11-30 09:20
Administrators can see if a provider is the unique authentication endpoint 27665288c9
User avatar Thomas Gerbet (tgerbet) , 2016-11-30 16:44
Administrators can define a provider as unique authentication method b3252841a4
User avatar Thomas Gerbet (tgerbet) , 2016-12-01 10:59
Only show to administrators information when the provider is set as unique authentication provider febbeb3f80
User avatar Thomas Gerbet (tgerbet) , 2016-12-02 09:12
Do not redirect immediatly if the platform is restricted to the anonymous e483f45b1d
User avatar Thomas Gerbet (tgerbet) , 2016-12-02 18:06
Display settings

Follow-ups

User avatar
Thomas Gerbet (tgerbet)2016-11-15 15:39
  • So that
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Technical informations
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
Marine Pieux (nynoe)2016-11-15 12:10
  • Attachments site-admin-plugins-openid-connect-unique-provider.sketch removed