U4-6753 - Identity support must have an option to enable auto-linked accounts

Created by Shannon Deminick 24 Jun 2015, 07:37:06 Updated by Shannon Deminick 02 Jul 2015, 08:54:52

For some providers it doesn't make sense to have to link external accounts after a local account has been created. These providers would be OAuth providers such as Active Directory providers where the admin knows that only their user's with auth against the end-point.

For public providers such as Google or Facebook, this doesn't make any sense, we cannot auto-link public providers.

The auto-linking should be enabled by a startup option and when activated, when a user that doesn't have a local account is auth-ed, on the reply we will create a local user with a generated password and create their account as per the specified options of the provider. With a generated password it means they cannot log in offline but that is ok, if that functionality is required then the administrator can log in to the back office to reset their local password.

Comments

Shannon Deminick 26 Jun 2015, 15:16:00

To do this there is an extension method on Microsoft.Owin.Security.AuthenticationOptions called SetExternalSignInAutoLinkOptions which you can pass in an instance of: Umbraco.Web.Security.Identity.ExternalSignInAutoLinkOptions

(https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Security/Identity/ExternalSignInAutoLinkOptions.cs)

This is done during the configuration of the OAuth provider, the options class allows you to dynamically return data for each of it's methods if required, alternatively you can specify what the methods will return based on it's ctor arguments. Generally there would be very little to configure and if you wanted to auto-link/create local accounts based on your external OAuth provider you can just do (for example):

googleOptions.SetExternalSignInAutoLinkOptions(
   new ExternalSignInAutoLinkOptions(autoLinkExternalAccount: true));


Shannon Deminick 26 Jun 2015, 15:32:01

The custom options also have a field to display a custom angular view after the linking has taken place, this view can be used to gather further user information such as their name, a local login name or password, etc... This hasn't been implemented yet, will do soon.


Priority: Task - Pri 1

Type: Task

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.3.0

Sprint:

Story Points:

Cycle: