[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

Le 07/04/2020 à 17:20, Paul Wise a écrit :
> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:
> 
>> ## Highlevel plan
> 
> I'd like to learn a bit about what the effects for Debian account
> holders and service admins will be.
> 
>> - Salsa becomes primary source of user info and authentication for secondary
>>   services via OpenID Connect (OAuth2), for both DDs and non-DDs, replacing
>>   sso.debian.org.
> 
> It sounds like the answer is no, but does Salsa, Keycloak or
> LemonLDAP::NG support TLS client certs?

LLNG and KeyCloack support TLS authentication, 2FA,... See
https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases
for a complete list of LLNG supported authentication mechanisms

> So it sounds like Debian would be switching our SSO authentication
> protocol from TLS client certs directly supported by TLS clients to
> something based on HTTP redirects, referrers and cookies and that
> requires a browser in order to login?

Authentication gives an "authenticationLevel". You can restrict some
applications to TLS, some other to "password+2FA or TLS" and authorize
some other to use simple authentication

> It seems like one side effect of the protocol change is that login
> events are centralised on the SSO service rather than at each
> individual service.
> 
> Is there anything else that account holders need to be aware of?
> 
>> - nm.debian.org uses Salsa usernames by default to populate LDAP usernames when
>>   creating accounts, and stores OIDC subject to strongly correlate between
>>   Salsa and Debian LDAP users.

Application profiles can be managed by SSO (give profile to app and/or
restrict some URL to a particular group [handler/GateKeeper only])

> Is it intended that service maintainers each implement OpenID Connect
> etc within their service code using existing libraries, or should we
> use something like the mod_auth_openidc Apache module to pass
> authentication details to service code.

Both are possible but handler/GateKeeper can do the job

> https://github.com/zmartzone/mod_auth_openidc
> 
> Can services using non-HTTP protocols be authenticated with OpenID Connect etc?
> 
> Is it intended that there be moderation at account creation time? In
> our experience with the Debian wiki, a large amount of spammers
> attempt to sign up. I hear that Salsa gets a lot of spammers signing
> up too and those are manually cleaned up if they do something spammy.

Yes, possible

> For the wiki we found the best way to prevent spammers from signing up
> is human moderation. Even that doesn't always help as I've let
> spammers sign up before based on the content of their signup emails,
> but it is a good start. One very nice aspect of the wiki signup
> moderation is that the team can respond to aspects of the signup
> email, welcoming the applicant with pointers to documentation,
> suggestions of ideas on how to help, mailing lists to join and so on.
> 
> Is there anything else that service admins need to be aware of?
Reply to: