Registration flag and SSO/OIDC

[gramakri]

We are looking into packaging 2FAuth for Cloudron. The app works great (looking forward to sharing!) and OIDC login works as well.

We noticed that when registration is disabled, new OIDC users cannot login. This is as documented in the UI. But this leaves the end user in a tricky situation when using OIDC:

• Somehow make sure all users are logged into 2FAuth already before disabling registration
• When registration is enabled, anyone can register. Leaving the instance open to spammers. When sharing feature is implemented, this is almost a security hole. Since leaving registration open for a new OIDC user to login leaves the instance open for spammer to register and see shared 2FAs.

Let me know if I missed something. But is it possible to decouple the new OIDC user flag and registration ?

[Bubka]

Hi,

Currently this is not possible, I need to make some changes to the code base.
I could add a `Keep SSO registration enabled' setting, with a related selector to choose the SSO provider to keep enabled. What do you think?

[gramakri]

@Bubka yes, that would be great to have a 'keep SSO registration enabled' setting. Not sure if a selector is required, we can just keep all SSO enabled with that single setting. I don't know of a use case where one wants to enable a few and disable others.

[Bubka]

I was thinking about very specific use case like this one: 2 SSO providers needs to be enabled, but only one should accept new user registration, the other one being a legacy provider that only accepts login of already registered users. But maybe it's too specific, at least for now.

[gramakri]

@Bubka thanks for implementing this so quickly! Just wanted to leave a note that this works perfectly. I can now disable registration but keep SSO enabled.

[Bubka]

Thanks for the feedback, glad it work 👍🏻