OAuth users cannot confirm password for sensitive actions (Administration, settings, etc.)

[tuzumkuru]

Hi,

Thanks for developing and maintaining this plugin. I love using this plugin and making Google OAuth a SSO option for Redmine. I have a problem though:

When using this plugin, login works fine. However, after some time in the session, if I try to change settings Redmine asks for a password confirmation. Since OAuth users don’t have a local password, they cannot continue. This is also a problem if I use sudo_mode. Some time after login, if I want to act as an administrator, it asks password but no option go authenticate through OAuth.

Steps to reproduce:

• Log in to Redmine using OAuth.
• Wait some time after login (session idle period).
• Try to change a setting.
• Redmine asks for password confirmation.

OAuth user cannot proceed (no local password).

Expected behavior:
OAuth users should be able to bypass or satisfy password confirmation without needing a local password.

I believe this would be a necessary feature/fix for this plugin. Otherwise what would you suggest?

[picman]

Do you use other plugins? I think that pure Redmine just redirects you to the login page when the session expires.

[tuzumkuru]

Hi Karel,

When the session expires, you are right, it redirects to the login page.

I am using sudo_mode in which you set a timeout for Redmine to ask for a password when timeout expires for security important tasks, ie. Account or Administrative changes. It doesn't redirect to the login page, instead ask the password at the same page.

Below is a SS from a local instance when I try to change a setting in my account page after the timeout period. This local instance only runs a plugin which i am working on but irrelevant to the issue. sudo_mode is set to true to show this behaviour:

About sudo_mode:

 # Requires users to re-enter their password for sensitive actions (editing
  # of account data, project memberships, application settings, user, group,
  # role, auth source management and project deletion). Disabled by default.
  # Timeout is set in minutes.
  #
  #sudo_mode: true
  #sudo_mode_timeout: 15

from https://svn.redmine.org/redmine/tags/5.1.0/config/configuration.yml.example

[picman]

Thank for the explanation. Now, I know what you are talking about.

A possible solution would be to add a button "Continue with OAuth" next to the Submit button which would authenticate the user with the configured OAuth provider.

A problem is that there are no hooks on Redmine's side to allow plugins to extent the present functionality. So' I'd have to override the view and the controller as well.

In our environment we also use OAuth but we also heavily use the integrated SVN and git repositories and also WebDAV. To authenticate to these modules users must keep their passwords. OAuth just makes easier to log into the web interface.

[tuzumkuru]

I am trying to avoid password use since logging in Google is more secure since it needs 2FA and I don't want users to set 2FA in redmine too or everywhere for their convenience. I am trying to provide a real SSO experience.

My workaround is asking them to logout and login again and then do the change before sudo timeout. I use my password with 2FA with administrative tasks though.

I think there should be a fix to make redmine's login system controlled from one place and providing hooks to add methods there. That would be the most elegant solution. I don't know rails so can't comment more.

You can close this issue if you want, or keep it open until there is some solution. Overriding the view and the controller might be a good fix but i guess it is risky for future updates?