Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to lock users to OAuth2 #21

Open
hirnschmalz opened this issue Apr 7, 2024 · 6 comments
Open

Option to lock users to OAuth2 #21

hirnschmalz opened this issue Apr 7, 2024 · 6 comments

Comments

@hirnschmalz
Copy link

Our main use case for SSO is to move user maintenance to our identity provider. To make it unable for users to login into the backend after they have been disabled in the identity provider, it would be great to have an option to

  • disable password field in the TYPO3 backend if the user is an OAuth2 user
  • disable the OAuth2 providers list as soon as the user has activated one (from the personal user settings and also from the user list which is available for admin users)
  • disable the username/password provider for users with OAuth2 (if this is possible)
@maikschneider
Copy link
Member

Hey @hirnschmalz, do you want to activate this feature for regular backend users or for admin users as well? In case it's sufficient for non-admin users, maybe disabling the user > settings module for this backend group would be enough?

@hirnschmalz
Copy link
Author

@maikschneider this should also be possible for BE admins.

@maikschneider
Copy link
Member

Okay. I think this should be possible.

User settings

Disabling the fields in user settings is very easy via UserTS which could be added via a special be_group:

setup.fields.password.disabled = 1
setup.fields.password2.disabled = 1
setup.fields.email.disabled = 1
setup.fields.mfaProviders.disabled = 1
setup.fields.tx_oauth2_client_configs.disabled = 1

User edit (via System > Backend Users)

This is plain TCA and therefore a couple of hooks do exist.

I will have a look into it to make it as easy as possible. It is for sure a useful feature, thanks.

@hirnschmalz
Copy link
Author

I'm aware of the TsConfig settings. The problem is, that if the SSO user is a TYPO3 backend admin, he could adjust these values by himself and "open a door" by adding a password and so let him login even if the user is longer active in the identity provider.

@maikschneider
Copy link
Member

As admin you could just create a new admin user with username and password.. Admins in general have the privilege to adjust user settings - this is hardcoded. If you have trust issues, don't give your users admin privileges.

@hirnschmalz
Copy link
Author

Yes, good point. Since there won't be a solution which is 100% safe and also work for TYPO3 admins, I guess there is no need for adaptions. I'll create a dedicated BE usergroup.

Maybe a hint in the README.md for other users whould be a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maikschneider @hirnschmalz