Proper OIDC Implementation

[seamon67]

The current implementation of OIDC makes it completely un-usable. Please do note that OIDC is an essential security feature.

If the env var DISABLE_REGISTRATION is set to true, Postiz allows only 1 account registration which is ideally what you want for a homelab setup. However, it disables OIDC completely (even for already registered users).

The only way to use OIDC is to unset the aforementioned variable which means that any rando can register an ADMIN account if Postiz is exposed to the Internet. This is a massive security issue.

One very simple solution is to implement the following:

• Enable OIDC even when DISABLE_REGISTRATION is set for already registered users.
• When DISABLE_REGISTRATION is set, allow registrations only via Invite Link for all users (including OIDC).

This will also allow OIDC Users to be part of the same org when they sign in.

[nevo-david]

@seamon67 so basically, don't disable OIDC if DISABLE_REGISTRATION is enabled.
Gotcha, it's like a two minutes fix

[nevo-david]

I am not sure about the same org, as it might be something not eveybody will want.
If you want users to be in the same org, just invite each other

[vrisalab]

I'm not sure if I'm allowed to reply in a closed issue, but the fix does not seem to work. When I try to sign in to an already existing user with my OIDC, it just redirects me to the Sign Up page.

I'm user docker with the new 'v1.48.1-amd64' tag

[seamon67]

Yep same here, it's not working for me as well.

[nevo-david]

I created another version (it's being deployed).
Sorry, it's hard for me to test as I don't have any generic OAuth to check.
But this one should be working.

[seamon67]

I will check it once it's deployed.

[vrisalab]

The issue persists. Is there any way we can help? I see nothing on the logs when I attempt to login

[nevo-david]

@vrisalab what version are you on?

[vrisalab]

Im using the 1.48.3 image now

[nevo-david]

Can one of you provide me with keys information for the generic OIDC?