0
Answered

OAuth2 Big Picture Questions

Pablo J 1 year ago updated by Vlad R 1 year ago 5

Before I dive into OAuth2, please help me understand how it might work with FileRun.

I think I would be authenticating against Google since we have GSuite accounts already. 

1. What happens to existing users when I implement the plugin?

2. If I have a 20-user license and 40-gsuite users, how do I specify which users have access to FileRun?

3. If I delete a gsuite user, what happens to the Filerun files of that user?

Obviously, not quite sure how this works. The technical how-tos referenced in the documentation provide a lot of background about the authentication process but not the big picture I need to understand the repercussions of my choices. 

Answered
1. What happens to existing users when I implement the plugin?

If you configure FileRun to allow local login, they will continue to function as normal. If their usernames are found in the third-party system, than the password will be checked against the third-party system, and not the FileRun database.

2. If I have a 20-user license and 40-gsuite users, how do I specify which users have access to FileRun?

Any of the third-party system's users would be able to login, until FileRun will no longer be able to create accounts for them. If you wish to filter them somehow, you can add some logic to the "customizables/auth/oauth2.auth.php" code.

3. If I delete a gsuite user, what happens to the Filerun files of that user?

Absolutely nothing. The FileRun account will still remain until you remove it from the FileRun control panel.

So, I should add users first to FileRun, then turn off local login.Their user names should be their email address. GSuite will then match this user name to their user name, which is always the email address. If I have the full 20 users defined, then no other users will be able to sign in because there will be no more licenses available. Right? 

That is correct, you can do this to make sure only specific user accounts will have access to FileRun.

One other question, do the desktop and mobile clients still work if OAuth2 is enabled, or can they only authenticate against the local database? 

If there is a current tutorial out there on how to authenticate using a gsuite account, it would be great to know about it. If I figure it out, I'll be glad to write one up.

The desktop and mobile clients should still work fine.

FileRun support simpleSAMLphp, which can be used for authenticating against G Suite https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps