Skip to content

Link to an external profile when user accounts are managed by a single OIDC provider #21356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marius-mather wants to merge 25 commits into
base: dev
Choose a base branch
from
Open

Link to an external profile when user accounts are managed by a single OIDC provider #21356

marius-mather wants to merge 25 commits into from

Conversation

@marius-mather
Copy link
Contributor

@marius-mather marius-mather commented Nov 24, 2025
edited
Loading

When user accounts are managed through a single OIDC provider, we want to disable editing of username/email address/password within Galaxy and have them managed at the OIDC provider. This PR disables the username/email/password change UI within Galaxy and instead shows a read-only profile page with a link to the external OIDC profile.

Builds on #20287.

Changes:

  • Add a profile_url option to OIDC backend config
  • Add a new user preferences widget for showing/linking to the OIDC profile
  • Disable username, email and password change based on config

Screenshots:

User preferences page with new profile widget added and "change password" removed (the existing "Manage Information" widget needs to be maintained for managing Galaxy-specific information like addresses and links to other external accounts)

Screenshot 2025-11-13 at 3 43 52 pm

New OIDC profile widget:

Screenshot 2025-11-24 at 3 33 50 pm

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@marius-mather
show an OIDC profile widget on user preferences page based on config
7016c3f
@marius-mather
update logic in user preferences model - shouldn't allow editing emai…
5d7b386 
…l/password when local accounts are disabled
@marius-mather
add UserOidcProfile component for displaying profile info, with link …
8155fad 
…to external profile
@marius-mather
add oidc_profile_url to config schema
4e03dfa
@marius-mather
expose OIDC profile URL in config API
d86d3a4
@marius-mather
update logic for showing email/username fields based on whether local…
02c288c 
… accounts are enabled
@marius-mather
Merge remote-tracking branch 'upstream/dev' into oidc-external-profile
019c9e3
@marius-mather
run client formatter
07a63c0
@marius-mather
run make format
201b5fe
@marius-mather
add profile url and check to ExternalIDHelper file
56b2cb7
@marius-mather
show provider name on button where possible
80d2d51
@marius-mather
update logic for showing OIDC user profile
7e3e76c
@marius-mather
move profile_url config to OIDC backend
dc9bc7b
@marius-mather
Merge remote-tracking branch 'upstream/dev' into oidc-external-profile
a704491
@marius-mather
Merge remote-tracking branch 'upstream/dev' into oidc-external-profile
b2f2db3
@github-actions github-actions bot added area/UI-UX area/API area/auth Authentication and authorization labels Nov 24, 2025
@github-actions github-actions bot added this to the 26.0 milestone Nov 24, 2025
@bernt-matthias
Copy link
Contributor

bernt-matthias commented Nov 24, 2025
edited
Loading

I remember that there was a config variable where the UI for changing this information was just disabled. I authenticate against LDAP and also don't want my users to change this.

Just can't find the config at the moment. Edit:

galaxy/lib/galaxy/config/sample/galaxy.yml.sample

Line 1285 in 426fcd1

#enable_account_interface: true

@marius-mather
Copy link
Contributor Author

marius-mather commented Nov 27, 2025

In our case, we want to make sure username and email can't be edited in Galaxy, since these will come from the OIDC provider, but we still want to allow for Galaxy-specific information like addresses and other integrations (e.g. Zenodo). enable_account_interface: false disables these as well (or at least the addresses), so we need to do something a bit more complex than just having everything hinge on enable_account_interface

@nuwang
Copy link
Member

nuwang commented Dec 2, 2025

@marius-mather At the backend working group meeting, the general consensus was that we should just repurpose enable_account_interface for this. The original behaviour of hiding everything, including user properties, is undesirable, so doing what this PR does with the existing enable_account_interface switch makes the most sense.

@nuwang nuwang mentioned this pull request Dec 4, 2025
Draft
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/API area/auth Authentication and authorization area/UI-UX

Projects

None yet

Milestone

26.0

Development

Successfully merging this pull request may close these issues.

3 participants

@marius-mather @bernt-matthias @nuwang