Hi,
is anyone interested in implementing a “correct” OIDC implementation, that fetches and updates the user information from identity provider (like enabled/disabled, and fetching the groups of the use), rather than just logging in and creating the user and then never check from the IdP anymore?
In addition, at the moment if signup is disabled, my users will not be able also to login using their IdP accounts (if it is their first time). However, I do want them to be able to login using the IdP (even it seems to be their first login or signup because they do not exist in ERPNext yet).
This is going to be helpful in:
- Fetching the groups of users from the IdP and updating them when changed in the Idp accordingly.
- Being able to enable/disable the user when disabled in the IdP.
So in the end, this will enable a centralized management of user, not just create the user and then forget about it. I found a similar proposal as a GitHub feature request, but it has been open for about 8 years and but it seems to not getting enough attention, although this is really a hard-core enterprise feature.
I may help as far as possible also in this implementation if anyone is interested.
Maybe we should not necessarily reimplement everything from scratch, we may just extend the current social login integration (when possible).
UPDATE
After testing the Social Login app thoroughly, I can say that we really need a real OIDC client implementation, that allows the user to login (even for the first time, when the sign up is disabled), sync the user info updates, and of course fetch the groups from the claim.
Would be any timeline to implement this?