[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

Hi Paul

On Tue, Apr 07, 2020 at 03:20:52PM +0000, Paul Wise wrote:
> It sounds like the answer is no, but does Salsa, Keycloak or
> LemonLDAP::NG support TLS client certs?

No, Salsa does not support TLS client certs.

> So it sounds like Debian would be switching our SSO authentication
> protocol from TLS client certs directly supported by TLS clients to
> something based on HTTP redirects, referrers and cookies and that
> requires a browser in order to login?

Using a browser is the primary method for login with OIDC, yes.

> It seems like one side effect of the protocol change is that login
> events are centralised on the SSO service rather than at each
> individual service.

No, not really.  The services ask the SSO service for the identity of
the user and get an attestation back.  So each service needs to handle
it's own login.

> Is there anything else that account holders need to be aware of?

No.

> > - nm.debian.org uses Salsa usernames by default to populate LDAP usernames when
> >   creating accounts, and stores OIDC subject to strongly correlate between
> >   Salsa and Debian LDAP users.
> Is it intended that service maintainers each implement OpenID Connect
> etc within their service code using existing libraries, or should we
> use something like the mod_auth_openidc Apache module to pass
> authentication details to service code.
> https://github.com/zmartzone/mod_auth_openidc

This is up to the service maintainers.  I for example use
https://github.com/oauth2-proxy/oauth2-proxy

> Can services using non-HTTP protocols be authenticated with OpenID Connect etc?

In theory yes.  Dovecot for example supports this.

> Is it intended that there be moderation at account creation time? In
> our experience with the Debian wiki, a large amount of spammers
> attempt to sign up. I hear that Salsa gets a lot of spammers signing
> up too and those are manually cleaned up if they do something spammy.

Currently moderation is not planned.  What we might do is forcing new
users to be marked as external, which disallows them to do anything.
However, I don't know how a moderation workflow should work.

Currently the homegrown self-service thingy makes automatic signup
unlikely, but this will go away.

Salsa itself is also a pretty small target, as almost all content is
exempted from indexing.  And cleaning up is pretty easy.

The only types of spam we had was
- snippets in vietnamese and
- issues in vietnamese.

>                         One very nice aspect of the wiki signup
> moderation is that the team can respond to aspects of the signup
> email, welcoming the applicant with pointers to documentation,
> suggestions of ideas on how to help, mailing lists to join and so on.

How many new users per day do you get?

> Is there anything else that service admins need to be aware of?

Yes.  Please don't use the username (the field is called "nickname"),
but only the subject (the field is called "sub") to identify users.

Regards,
Bastian

-- 
First study the enemy.  Seek weakness.
		-- Romulan Commander, "Balance of Terror", stardate 1709.2
Reply to: