Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Bastian Blank <waldi@debian.org>
Date: Tue, 7 Apr 2020 08:53:47 +0200
Message-id: <[🔎] 20200407065347.w6tkdho6yvywru2n@shell.thinkmo.de>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20200406160938.bullk2d57f5ojjao@snafu.emyr.net>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] 20200406160938.bullk2d57f5ojjao@snafu.emyr.net>

Hi Luca

On Mon, Apr 06, 2020 at 04:09:38PM +0000, Luca Filipozzi wrote:
> That said, please consider an approach that would see keycloak used as
> an idenitity broker, allowing external users to create accounts using
> social identities that are then promoted to full Debian identities (in
> LDAP) if they complete the onboarding process.

You are proposing a different idea, however you are not yet proposing a
project with actionable items on it.  If you think this is worthwhile,
please provide at least the following things:

- Workflows, esp non-DD to DD and vice versa.
- Self service, e.g. user signup, how do users add OIDC clients, how add
  groups/roles to OIDC info.
- Salsa, how should it work together.
- Additional features
- Who is willing to maintain this long-term
- Exit strategy

Anyway, I took a quick look into Keycloak.

What I find particular interesting is:
- they use UUID for user identification
- users and groups can have arbitrary attributes attached to them,
  however they are not self service
- it is a complete authorization solution

What isn't so great
- no particular good admin interface (there are 40+ settings for each
  OIDC client alone)
- it can have forms without a required field, which can't be saved at
  all.
- jboss.  Who considers itself capable of running public jboss
  applications safely and securely?

Showstopper
- no self service for group or even OIDC clients
- no U2F (okay, GitLab also still needs to make the step to webauthn)
- requires Java 8, which is not supported on Debian Buster

I was not able to see the killer feature of this setup or at least one
feature that we must have.

>                                                Could be used as
> replacement for debsso, could be used for wiki, could be used for
> debconf, could be used for salsa.

But this is not different to what we already proposed.  Also all the
other modifications we need to do to for example Salsa and NM are
already the same.

Regards,
Bastian

-- 
Earth -- mother of the most beautiful women in the universe.
		-- Apollo, "Who Mourns for Adonais?" stardate 3468.1

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread