apollo icon indicating copy to clipboard operation
apollo copied to clipboard
verified publisher icon apolloconfig

建议OAuth登录Portal时,支持自动创建用户

Open yuanhaoliang opened this issue 1 year ago • 4 comments

你的特性请求和某个问题有关吗?请描述

由于使用OIDC登录时,同时校验userinfo中需要有sub并且和id_token相同,所以apollo portal只能以openid作为username,但旧的username都是姓名拼音,从账号密码登录改成OIDC登录时没办法对应得上旧账号。

好不容易改成了OAuth2.0登录了,但又不支持创建新账户。此时Poral的用户管理也无法创建新用户的,代码里限定了只有用账号密码登录时,才给手动创建新用户。

清晰简洁地描述一下你希望的解决方案

OidcAuthenticationSuccessEventListener里增加OAuthUser的登录,实现自动创建账号。


  @Override
  public void onApplicationEvent(AuthenticationSuccessEvent event) {
    Object principal = event.getAuthentication().getPrincipal();
    if (principal instanceof OidcUser) {
      this.oidcUserLogin((OidcUser) principal);
      return;
    }
    if (principal instanceof Jwt) {
      this.jwtLogin((Jwt) principal);
      return;
    }

    // 增加对OAuthUser的识别
    if(principal instanceof OAuth2User) {
      this.oauth2UserLogin((OAuth2User) principal);
      return;
    }

    log.warn("principal is neither oidcUser nor jwt, principal=[{}]", principal);
  }

  // 增加oauth2UserLogin方法。
  private void oauth2UserLogin(OAuth2User oauth2User) {
    log.warn("oauth2UserLogin, oauth2User=[{}]", oauth2User);
    UserInfo newUserInfo = new UserInfo();
    newUserInfo.setUserId(oauth2User.getName());
    newUserInfo.setName(oauth2User.getAttribute(StandardClaimNames.PREFERRED_USERNAME));
    newUserInfo.setEmail(oauth2User.getAttribute(StandardClaimNames.EMAIL);

    if (this.contains(oauth2User.getName())) {
      this.oidcLocalUserService.updateUserInfo(newUserInfo);
      return;
    }
    this.oidcLocalUserService.createLocalUser(newUserInfo);
  }

清晰简洁地描述一下这个特性的备选方案 用户管理→创建用户时的判断,支持OAuthUser登录时手动创建账户。

其它背景

在这里添加和这个特性请求有关的背景说明、截图

yuanhaoliang avatar Mar 24 '25 03:03 yuanhaoliang

没太明白用 OAuth 登录为啥还要在 portal 中创建用户?就算创建了还得做各种同步确保数据一致?

nobodyiam avatar Mar 29 '25 02:03 nobodyiam

没太明白用 OAuth 登录为啥还要在 portal 中创建用户?就算创建了还得做各种同步确保数据一致?

因为用OAuth登录的时候,没有自动创建用户,那么就无法给用户授权了。

yuanhaoliang avatar Apr 02 '25 02:04 yuanhaoliang

哦,那就是希望新增一种 OAuth 的登录模式?如果和 OIDC 是两种方式的话,可以新增一种类型(目前已经支持的是 springsecurity/ldap/oidc)

nobodyiam avatar Apr 04 '25 09:04 nobodyiam

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] avatar May 04 '25 10:05 stale[bot]

哦,那就是希望新增一种 OAuth 的登录模式?如果和 OIDC 是两种方式的话,可以新增一种类型(目前已经支持的是 springsecurity/ldap/oidc)

HI @nobodyiam , 使用 oidc (keycloak/casdoor等) 登录方式,创建的 username 为 openid 的 uuid 形式,app 授权 superadmin 授权时用的 也都是 uuid 的 username 字段,而不是用户名,使用并不方便。使用 ldap 登录时的 username 一般是 username字段,而不是 uuid,切换迁移也不方便。

https://github.com/apolloconfig/apollo/blob/v2.3.0/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/oidc/OidcUserInfoHolder.java#L67

https://github.com/apolloconfig/apollo/blob/master/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/oidc/OidcUserInfoHolder.java#L66

tangr avatar Jul 02 '25 02:07 tangr

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 01 '25 13:08 stale[bot]

This issue has been automatically closed because it has not had activity in the last 7 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

stale[bot] avatar Aug 13 '25 12:08 stale[bot]