/
Oauth2 Registration Flow

Oauth2 Registration Flow

Owned by Manuel Eiweck
Feb 03, 2025
2 min read

User Status Overview

Potrait has multiple User status here is an overview

Status

Meaning

Allowed Operation

Status

Meaning

Allowed Operation

GRANTED

User has been granted access

Everything is permitted. Can be further restricted by the User Roles

REVOKED

User has been revoked access by an admin

No operation is permitted. Login is rejected.

UNCHECKED

User has not been checked by an admin but information such as Email and Name are provided

Limited Access. Can login and update their profile settings. However can not retrieve data.

An admin needs to manually grant the user.

REGISTRATION_ONGOING

User is in the process of registration, not all fields are filled. Usually used for oauth2 users

Limited Access. Can login and update their profile settings. However can not retrieve data.

The user is supposed to update their profile settings. Afterwards the status is automatically changed in either GRANTED or UNCHECKED depending on the oauth2 configuration

User Role Overview

In addition to the User status Portrait has also two User roles: ADMIN and USER.

 

Oauth2 Login Flow

An indirect effect of oauth2 auth provider means that the application, so portrait in our case, does not know in advance which users exist beforehand.
Therefore portrait only stores accounts for users that logged in at least once. Afterwards the user must provide further registration details such as email and name. Lastly an initialStatus UserStatus is set.

This status can be configured on an auth provider level.

There are two possibilities that can make sense in practice:

Automatic Approval

Here you want to have either

  • a fairly unrestricted access to portrait. Example: Public Portral, login via Github, IDAustria, …

  • you control the access via the auth provider. Example: An MS365/Azure Domain. Only users from your tenant can login anyway.

This can to be explicitly configured:

application: name: Portrait Developer Instance owner: Treskon GmbH ... auth: publicAccess: false oauth2: registration: azure-treskon: initialStatus: GRANTED idaustria: initialStatus: GRANTED

 

Manual Approval (Default)

This means that each new user will have to be manually granted access to portrait after their first login. An admin can only grant users that have tried to login at least once.

This is the default behaviour. It can also be set explicitly:

application: name: Portrait Developer Instance owner: Treskon GmbH ... auth: publicAccess: false oauth2: registration: github: initialStatus: UNCHECKED