Add native support for Auth0

Everything that I know needs to get done is now done so feel free to review & test. I'm going to start testing it myself now.

Please take care of the problem described in 🐛 Auth0 users can log in without e-mail verification even when it's required Closed: duplicate in this issue.

Fair enough if you think that's an Auth0 thing, but can we handle these separately? Do this one first, and the other as a follow-up? I'd like to get this one in, and probably won't be working on the other one due to time constraints (and the workaround).

The first commit above is necessary because until now, the error description just goes in the log and users don't see it. However, what can get returned is:

Please verify your email before logging in.

Also, I hate it when I get a message saying that there's an error without telling me what the error is. This fixes that problem.

From a security perspective, I don't believe we're leaking anything problematic here; it's just the reason the login is failing, which users have a right to know. And security through obscurity doesn't work anyway.

The second commit adds docs to the Auth0 form, telling admins how to configure their Auth0 accounts to enforce e-mail verification. (It's actually trivial, and I don't think it's worth figuring out how to handle this on the Drupal side, especially if it's just for this one IDP so I'm just handling it in this issue.)

Anyone know what's going on with that CI error? Testbot isn't running.

This is now good to go as I believe I've tested the basic scenarios, and everything seems to be fine. Please review the code and test yourself!

I did, however, run into 🐛 Cannot enforce IDP-only account creation Needs work , but I don't believe that's specific to this plugin (so that's why I created a separate issue).

Here's the MR as a patch for Composer.

Lastest MR as a patch for Composer.

Edit: Don't review the code here as it's the multiple-patch file from Gitlab; it'd be confusing. Look at the MR instead.

Hi,
I've tested latest patch and work good!
there is a way to anonymize username and email stored in Drupal from auth0?
Thanks for the support

Anonymizing the username and email are a bit out of scope of the module.. The objective here is to allow an external ID provider to "vouch" for a user that is then created in Drupal. That Drupal user should have at least a real e-mail so that any functionality depending on that from Drupal's side can still work.

You are of course free to create a patch to anonymize that data in your own site by hacking into the relevant lines in this plugin, but you'll have to maintain that site-specific modification on your own.

In any case, thanks for finally marking this as "Reviewed & tested by the community"

Is there a more generic way we could implement the logout query override so the plugins are returning the URL or maybe just the query parameters rather than implementing a non-standard hook_alter? We already have OpenIDConnectClientBase::getRedirectUrl() At first I thought a getRedirectLogoutUrl() would work, but the URL requires the path from the main openid_connect settings, which feels inappropriate to read from inside a plugin. Maybe OpenIDConnectClientBase::getLogoutUrlOptions() similar to OpenIDConnectClientBase::getUrlOptions()?

Noting here: Login_gov also needs to fix up the logout redirect parameters in a very similar way. 🐛 Handle logout URL Active depends on the alterLogoutRedirectionQuery(). I'm going to hold off merging the login_gov MR until this one is finalized.