Using external OAuth2 provider to provide single sign-on

I have OAuth2 setup, so that people who already have an account in my ERPNext instance can login via my OAuth2 provider.

I would like to enable people who already have an account on my OAuth2 provider to be able to create a new account on my ERPNext instance, transparently.

At the moment, if they don’t already have an ERPNext account, I get the message “Sorry. Signup from Website is disabled”.

I suspect, if I allowed signup from the website, it might work. But I don’t want random people from the Internet to be able to create accounts. How can I do one, without the other?

Supplementary question: If I did get this working, how could I determine what things a new account would have access to? Ideally, it would depend on information returned by my OAuth2 provider (e.g. what department they are in).

  • Add users in system as a separate process, no signup. That way if valid user does SSO it will map it to the one created before, if no user found there will be “Sorry. Signup from Website is disabled” error.
  • Add users using a system manager account and api key/secret or Bearer Token.
  • If you wish to have dynamic signups then you need to enable website signup.

Custom app can do anything. It can modify the redirect callback to verify additional id_token claims or profile endpoint response and create user with appropriate roles.

Custom extensions that help you build apps with Frappe Framework as resource server.

Microsoft Azure SSO, check custom callback.