- Assigned to colan
- Status changed to Needs review
almost 2 years ago 5:54pm 18 January 2023 - Status changed to Active
almost 2 years ago 8:31pm 18 January 2023 - Status changed to Needs review
almost 2 years ago 6:24pm 25 January 2023 - 🇨🇦Canada colan Toronto 🇨🇦
Everything that I know needs to get done is now done so feel free to review & test. I'm going to start testing it myself now.
- Status changed to Needs work
almost 2 years ago 9:07pm 26 January 2023 - 🇵🇹Portugal jcnventura
Please take care of the problem described in 🐛 Auth0 users can log in without e-mail verification even when it's required Closed: duplicate in this issue.
- Status changed to Needs review
almost 2 years ago 9:53pm 26 January 2023 - 🇨🇦Canada colan Toronto 🇨🇦
Fair enough if you think that's an Auth0 thing, but can we handle these separately? Do this one first, and the other as a follow-up? I'd like to get this one in, and probably won't be working on the other one due to time constraints (and the workaround).
- 🇨🇦Canada colan Toronto 🇨🇦
The first commit above is necessary because until now, the error description just goes in the log and users don't see it. However, what can get returned is:
Please verify your email before logging in.
Also, I hate it when I get a message saying that there's an error without telling me what the error is. This fixes that problem.
From a security perspective, I don't believe we're leaking anything problematic here; it's just the reason the login is failing, which users have a right to know. And security through obscurity doesn't work anyway.
The second commit adds docs to the Auth0 form, telling admins how to configure their Auth0 accounts to enforce e-mail verification. (It's actually trivial, and I don't think it's worth figuring out how to handle this on the Drupal side, especially if it's just for this one IDP so I'm just handling it in this issue.)
- 🇨🇦Canada colan Toronto 🇨🇦
Anyone know what's going on with that CI error? Testbot isn't running.
- 🇨🇦Canada colan Toronto 🇨🇦
This is now good to go as I believe I've tested the basic scenarios, and everything seems to be fine. Please review the code and test yourself!
I did, however, run into 🐛 Cannot enforce IDP-only account creation Needs work , but I don't believe that's specific to this plugin (so that's why I created a separate issue).
- 🇨🇦Canada colan Toronto 🇨🇦
Lastest MR as a patch for Composer.
Edit: Don't review the code here as it's the multiple-patch file from Gitlab; it'd be confusing. Look at the MR instead.
- Status changed to RTBC
11 months ago 10:39pm 22 January 2024 - 🇮🇹Italy bigbabert Milano, Italy
Hi,
I've tested latest patch and work good!
there is a way to anonymize username and email stored in Drupal from auth0?
Thanks for the support - 🇵🇹Portugal jcnventura
Anonymizing the username and email are a bit out of scope of the module.. The objective here is to allow an external ID provider to "vouch" for a user that is then created in Drupal. That Drupal user should have at least a real e-mail so that any functionality depending on that from Drupal's side can still work.
You are of course free to create a patch to anonymize that data in your own site by hacking into the relevant lines in this plugin, but you'll have to maintain that site-specific modification on your own.
In any case, thanks for finally marking this as "Reviewed & tested by the community"
- 🇺🇸United States John Franklin
Is there a more generic way we could implement the logout query override so the plugins are returning the URL or maybe just the query parameters rather than implementing a non-standard hook_alter? We already have
OpenIDConnectClientBase::getRedirectUrl()
At first I thought agetRedirectLogoutUrl()
would work, but the URL requires the path from the mainopenid_connect
settings, which feels inappropriate to read from inside a plugin. MaybeOpenIDConnectClientBase::getLogoutUrlOptions()
similar toOpenIDConnectClientBase::getUrlOptions()
?Noting here: Login_gov also needs to fix up the logout redirect parameters in a very similar way. 🐛 Handle logout URL Active depends on the
alterLogoutRedirectionQuery()
. I'm going to hold off merging the login_gov MR until this one is finalized.