BUG: Google SSO allows anybody to create an active account without approval - even if registration is disabled

Randomlee · October 5, 2021, 9:39am

As per title.

OAuth settings:

ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True

OAUTH_CLIENT_ID = "***"
OAUTH_CLIENT_SECRET = "***"
OAUTH_REDIRECT_URL = '***'

# The following shoud NOT be changed if you are using Google as OAuth provider.
OAUTH_PROVIDER_DOMAIN = 'google.com'
OAUTH_AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/v2/auth'
OAUTH_TOKEN_URL = 'https://www.googleapis.com/oauth2/v4/token'
OAUTH_USER_INFO_URL = 'https://www.googleapis.com/oauth2/v1/userinfo'
OAUTH_SCOPE = [
    "openid",
    "https://www.googleapis.com/auth/userinfo.email",
]
OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),
    "name": (False, "name"),
}

As an aside - how do you get Google SSO working with Android?