I'm not sure, but maybe you could put the flag disable-registration on the frontend container, and enable-registration on the back-end container ?

@thebaultyoann Thanks for a workaround.
I've tried to implement it and it really hides the registration link and makes OIDC auth working but I suspect there could be some security risks that somebody will still be able to register by submitting necessary data.

Check the API on the /api/doc endpoint of your penpot url. It exists a route to register people, so I guess yes, somebody can register anyway.

But is that really an issue ?
They could register and create an account, but for that they would need to first know the api endpoints, and then try to add an account.
And even with that, someone that use this user would only have his personnal access to penpot and only through the API if you have the flag "disable-login-with-password"

The only issue could be that someone managed through API requests to put himself into your penpot's team and export all the data you have. I didn't took the time to check, but I don't think Penpot team such a security breach open.

It's not a problem to research endpoints, params, etc. in the code.

When somebody registers in penpot, an email confirmation arrives to confirm the email address specified, if the person follows by the link he gets an access to the dashboard.

Reverting 81b52d7 seems to restore the behavior of OIDC working with disable-registration set. I assume this commit was made in response to #4283.
Tho reverting works as a hotfix, this obviously isn't ideal. A solution might be to allow for more fine-grained control over registrations. Maybe flags like this:

• disable-local-registrations for disabling local accounts registrations.
• disable-oidc-registrations for disabling OIDC account registrations.
• Maybe one for ldap as well? Unsure how that integrates as I don't use it.
• disable-registrations to disable all registrations

I believe these flags should support basically all registration use-cases.

I will look on it ASAP, and we trigger a patch release when it is fixed.

Added the enable-oidc-registration flag.

#4963

will be released on the next patch version.

Hi @vladimirdulov,

Thanks for reporting this! We've added this to our backlog on Taiga so that we can look further into it, you can find the details here: https://tree.taiga.io/project/penpot/issue/8477

This issue has been fixed and the fix will be release soon!

I'm sorry but it doesn't seem to be fixed.

I've configured Penpot v2.1.2 with the following flags:

PENPOT_FLAGS="disable-registration enable-login-with-oidc enable-odic-registration disable-onboarding disable-login-with-password disable-email-verification enable-smtp"

I got the following login screen:

When I click "OpenId" button, it brings Registration is currently disabled error.

Could you please check if it's an issue with my configuration or there is still a bug.