I’m setting up self-hosted grist for my company with multiple orgs.
Not all users that are able to log in via OIDC should have access to Grist. However, Grist creates a new user and a “Personal Team” at domain /o/docs-{UserID} for every unrecognized user.
Describe the solution you would like
Either of the following
Users are exclusively created by GRIST_SUPPORT_EMAIL via SCIM APIs. Once user profile info is retrieved from OIDC, if user does not exist, then 403 Forbidden.
Unrecognized User logs in via OIDC and a new user is created, but no personal orgs are created thus user does not belong to any org and is shown the Access Denied screen when landing on /o/docs
Ah, the normal workaround we suggest is to use a single org via GRIST_SINGLE_ORG - in that configuration, even though personal orgs are created, they are inaccessible. But that doesn’t work for you.
This is a very reasonable feature request. The implementation of your solution number 2 would I think also be quite easy, a small intervention based on a flag around here should do it:
If you file an issue for the feature on grist-core, I can get it in the queue for Grist Labs developer time, and also tag it with good-first-issue in case someone else has capacity and interest.
How hard do you think it is to do option 1? I’m hoping to submit a pull request once I understand the codebase better. It makes more sense to me that the user is never created in the first place. Option 2 introduces the potential for creation of users that are not supposed to have any permissions. This means if I forget to disable a role/permission for these users, (now or with new features in the future) then they might have some obscure code-path that they can access.
I’m thinking if a new flag GRIST_AUTO_USER=false and GRIST_FORCE_LOGIN=true then new users are not automatically created from oidc profile and should be shown the ‘signin-failed’ page.