-
Notifications
You must be signed in to change notification settings - Fork 2
autoprovision new users on login #55
Comments
Who will authenticate the user in that situation? |
I guess the normal request flow would be that this happens after the OIDC and account_uuid middlewares in ocis-proxy, so the user should be authenticated already. Just not provisioned in the accounts service, yet. |
In fact, it could happen within the account_uuid middleware |
From my understanding the plan is this client -requests-> ocis-konnectd -requests-> ocis-glauth -requests-> ocis-account. But if the ocis-accounts service doesn't know about a user then the above chain would not work since the authentication would fail in the ocis-accounts service. |
Here the diagram that @butonic drew. |
Step 1 is authenticated already. You only have a bearer token after a successful authentication. So this |
Or maybe I'm not up to date with how we store users. If glauth needs ocis-accounts in the future to do anything, then you're right. But I thought that glauth will continue to have a config file for the available "LDAP" users and not rely on ocis-accounts for that. |
Yeah, I think we should clarify that. 😄 |
Hm... just thinking, this ticket is probably not about glauth, but only about scenarios where we have a real LDAP. |
Ok the scenario is as follows: The idp has a source other than ocis-glauth/ocis-accounts and authenticates the user. |
when the accounts service does not know an account (either by email, username, or custom claim) ocis-proxy should provision the user on the fly. should happen in a dedicated middleware that can be disabled via the config.
followup tasks
The text was updated successfully, but these errors were encountered: