Unify users and OAuth ACLs

[choffmeister]

Hey,

while trying out v5 alpha I fell over something: I had an OAuth provider configured, set up an app and configured the user allow list to contain my specific user. My (and IHMO most peoples) assumption was, that as soon as I start allow listing at least one identity, then no other identity can get in anymore. But turns out, that all OAuth based logins where still accepted. Only once I had added also one OAuth whitelist (why the two different namings btw?), then also OAuth was limited down.

I think this is a potentially catastrophic misconfiguration that can easily. Also in one tinyauth application there might be apps, where only my one in-file admin user should have access to one app (and hence I cannot whitelist yet another OAuth identity). So the current setup is not only confusing, but also has some relevant cases, that cannot be achieved.

How about unifying ACLs all together like this:

• in-file users are represented by user:{username}
• OAuth identities are represened by oauth:{provider}:{email} (this would allow, to specifically address identities in a specific provider)

For example

# allow user myuser
# allow google identity myemail@googlemail.com
TINYAUTH_APPS_name_IDENTITY_ALLOW=user:myuser,oauth:google:myemail@googlemail.com

or

# allow google identity myemail@googlemail.com
# allow github identity myemail@domain.com
TINYAUTH_APPS_name_IDENTITY_ALLOW=user:myuser,oauth:github:myemail@domain.com

And then defining any allow, would automatically block anyone not from that allow list, regardless of the source of the other user.
Same would of course apply for blocking.

[steveiliop56]

Tinyauth uses two different kinds of whitelists. The environment variable calledTINYAUTH_OAUTH_WHIELIST configures who can login to Tinyauth. If you have whitelisted at least one user then nobody else will be able to login. Now, the access control whitelist defines the users which are permitted to access this specific app (it is not related to who can login to Tinyauth).