Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Paul Wise <pabs@debian.org>
Date: Tue, 7 Apr 2020 15:20:52 +0000
Message-id: <[🔎] CAKTje6FQT_LwO7me66OFYJdBFHZ4h0ztVNb+_ZaBZ0z+H_KAuQ@mail.gmail.com>
In-reply-to: <[🔎] 20200405184610.GA581270@waldi.eu.org>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org>

On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:

> ## Highlevel plan

I'd like to learn a bit about what the effects for Debian account
holders and service admins will be.

> - Salsa becomes primary source of user info and authentication for secondary
>   services via OpenID Connect (OAuth2), for both DDs and non-DDs, replacing
>   sso.debian.org.

It sounds like the answer is no, but does Salsa, Keycloak or
LemonLDAP::NG support TLS client certs?

So it sounds like Debian would be switching our SSO authentication
protocol from TLS client certs directly supported by TLS clients to
something based on HTTP redirects, referrers and cookies and that
requires a browser in order to login?

It seems like one side effect of the protocol change is that login
events are centralised on the SSO service rather than at each
individual service.

Is there anything else that account holders need to be aware of?

> - nm.debian.org uses Salsa usernames by default to populate LDAP usernames when
>   creating accounts, and stores OIDC subject to strongly correlate between
>   Salsa and Debian LDAP users.

Is it intended that service maintainers each implement OpenID Connect
etc within their service code using existing libraries, or should we
use something like the mod_auth_openidc Apache module to pass
authentication details to service code.

https://github.com/zmartzone/mod_auth_openidc

Can services using non-HTTP protocols be authenticated with OpenID Connect etc?

Is it intended that there be moderation at account creation time? In
our experience with the Debian wiki, a large amount of spammers
attempt to sign up. I hear that Salsa gets a lot of spammers signing
up too and those are manually cleaned up if they do something spammy.
For the wiki we found the best way to prevent spammers from signing up
is human moderation. Even that doesn't always help as I've let
spammers sign up before based on the content of their signup emails,
but it is a good start. One very nice aspect of the wiki signup
moderation is that the team can respond to aspects of the signup
email, welcoming the applicant with pointers to documentation,
suggestions of ideas on how to help, mailing lists to join and so on.

Is there anything else that service admins need to be aware of?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Xavier <yadd@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread