Re: Salsa as authentication provider for Debian
Le 07/04/2020 à 17:20, Paul Wise a écrit :
> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:
>
>> ## Highlevel plan
>
> I'd like to learn a bit about what the effects for Debian account
> holders and service admins will be.
>
>> - Salsa becomes primary source of user info and authentication for secondary
>> services via OpenID Connect (OAuth2), for both DDs and non-DDs, replacing
>> sso.debian.org.
>
> It sounds like the answer is no, but does Salsa, Keycloak or
> LemonLDAP::NG support TLS client certs?
LLNG and KeyCloack support TLS authentication, 2FA,... See
https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases
for a complete list of LLNG supported authentication mechanisms
> So it sounds like Debian would be switching our SSO authentication
> protocol from TLS client certs directly supported by TLS clients to
> something based on HTTP redirects, referrers and cookies and that
> requires a browser in order to login?
Authentication gives an "authenticationLevel". You can restrict some
applications to TLS, some other to "password+2FA or TLS" and authorize
some other to use simple authentication
> It seems like one side effect of the protocol change is that login
> events are centralised on the SSO service rather than at each
> individual service.
>
> Is there anything else that account holders need to be aware of?
>
>> - nm.debian.org uses Salsa usernames by default to populate LDAP usernames when
>> creating accounts, and stores OIDC subject to strongly correlate between
>> Salsa and Debian LDAP users.
Application profiles can be managed by SSO (give profile to app and/or
restrict some URL to a particular group [handler/GateKeeper only])
> Is it intended that service maintainers each implement OpenID Connect
> etc within their service code using existing libraries, or should we
> use something like the mod_auth_openidc Apache module to pass
> authentication details to service code.
Both are possible but handler/GateKeeper can do the job
> https://github.com/zmartzone/mod_auth_openidc
>
> Can services using non-HTTP protocols be authenticated with OpenID Connect etc?
>
> Is it intended that there be moderation at account creation time? In
> our experience with the Debian wiki, a large amount of spammers
> attempt to sign up. I hear that Salsa gets a lot of spammers signing
> up too and those are manually cleaned up if they do something spammy.
Yes, possible
> For the wiki we found the best way to prevent spammers from signing up
> is human moderation. Even that doesn't always help as I've let
> spammers sign up before based on the content of their signup emails,
> but it is a good start. One very nice aspect of the wiki signup
> moderation is that the team can respond to aspects of the signup
> email, welcoming the applicant with pointers to documentation,
> suggestions of ideas on how to help, mailing lists to join and so on.
>
> Is there anything else that service admins need to be aware of?
Reply to: