Skip to content

feat: OAuth self-registration independent of general registration + OAuth-force-only mode#8506

Closed
ripgtxgt wants to merge 1 commit intocoollabsio:nextfrom
ripgtxgt:feat/oauth-self-registration-next
Closed

feat: OAuth self-registration independent of general registration + OAuth-force-only mode#8506
ripgtxgt wants to merge 1 commit intocoollabsio:nextfrom
ripgtxgt:feat/oauth-self-registration-next

Conversation

@ripgtxgt
Copy link
Copy Markdown

@ripgtxgt ripgtxgt commented Feb 21, 2026

Changes

Two new admin settings (Settings → Advanced):

1. OAuth Self-Registration Allowed (is_oauth_registration_enabled, default true)
Allows new users to register via OAuth providers even when general password registration is disabled. Use case: restrict signup to users in your Authentik/GitHub org without disabling OAuth entirely.

Logic: new user allowed if is_oauth_registration_enabled OR is_registration_enabled.

2. Require OAuth Login (oauth_force_only, default false)
When enabled, users who sign in via OAuth are flagged users.oauth_force_only = true. Subsequent password login attempts for that user are rejected in Fortify's auth callback. Use case: suspend access by removing the user from your identity provider.

Issues

Category

  • New feature

AI Usage

  • AI is used in the process of creating this PR

Steps to Test

  1. Disable "Registration Allowed" in Settings → Advanced
  2. Enable "OAuth Self-Registration Allowed"
  3. Sign out, try to register with email/password → should fail
  4. Sign in via GitHub OAuth → should succeed and create account
  5. Enable "Require OAuth Login", sign in via OAuth, sign out
  6. Try to log in with password → should fail with auth error

Contributor Agreement

Important

  • I have read and understood the contributor guidelines. If I have failed to follow any guideline, I understand that this PR may be closed without review.
  • I have tested the changes thoroughly and am confident that they will work as expected without issues when the maintainer tests them

@ripgtxgt
feat: OAuth-only self-registration and OAuth-force-only mode (closes c…
eef6eea 
…oollabsio#8042)

Feature 1 — OAuth self-registration independent of general registration
-----------------------------------------------------------------------
Adds a new instance setting `is_oauth_registration_enabled` (default: true,
preserving existing behaviour).

When enabled, new users can create accounts by signing in via any
configured OAuth provider even if the general self-registration toggle
(`is_registration_enabled`) is off.

Use case: disable password-based sign-up while letting trusted identity
providers (Authentik, GitHub org, Google Workspace, etc.) onboard users.

Logic in OauthController::callback():
  new user allowed if is_oauth_registration_enabled OR is_registration_enabled

Feature 2 — OAuth-force-only mode
----------------------------------
Adds a new instance setting `oauth_force_only` (default: false).

When enabled, any user who authenticates via OAuth is flagged with a
per-user `users.oauth_force_only = true` column.  Subsequent password-based
login attempts for that user are silently rejected in the Fortify
authentication callback — they must sign in via their OAuth provider.

This lets admins revoke access by disabling the account in the identity
provider (e.g. remove from Authentik group, remove from GitHub org).

Files changed
-------------
database/migrations/
  2026_02_20_000001_add_oauth_registration_settings_to_instance_settings.php
    — adds is_oauth_registration_enabled + oauth_force_only to instance_settings

  2026_02_20_000002_add_oauth_force_only_to_users_table.php
    — adds oauth_force_only (boolean, default false) to users

app/Models/InstanceSettings.php  — boolean casts for new columns
app/Models/User.php              — boolean cast for oauth_force_only

app/Http/Controllers/OauthController.php
  — callback() uses is_oauth_registration_enabled for new-user gate
  — sets user.oauth_force_only when instance flag is on

app/Providers/FortifyServiceProvider.php
  — authenticateUsing() returns null (= auth failure) for oauth_force_only users

app/Livewire/Settings/Advanced.php
  — exposes + persists both new settings

resources/views/livewire/settings/advanced.blade.php
  — two new toggle checkboxes with descriptive helper text

Closes coollabsio#8042
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 25, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ripgtxgt @peaklabs-dev @ShadowArcanist