Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Bastian Blank <waldi@debian.org>
Date: Fri, 10 Apr 2020 12:06:42 +0200
Message-id: <[🔎] 20200410100641.ad4on2zflsnwetzg@shell.thinkmo.de>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20200408151858.oxacs5vumkpe4vq6@snafu.emyr.net>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] 20200406160938.bullk2d57f5ojjao@snafu.emyr.net> <[🔎] 20200407065347.w6tkdho6yvywru2n@shell.thinkmo.de> <[🔎] 20200408151858.oxacs5vumkpe4vq6@snafu.emyr.net>

Hi Luca

On Wed, Apr 08, 2020 at 03:18:58PM +0000, Luca Filipozzi wrote:
> > - Salsa, how should it work together.
> Gitlab can use OIDC as an OmniAuth provider.

And here the problems begin.

Sure, just using it as OmniAuth provider works.  But this only provides
authentication.

But, as Sam correctly mentioned, as all others ignored it: we need
user life cytle.  And just using OmniAith does not provide any life
cycle control.

> > - Who is willing to maintain this long-term
> I'm not committing DSA to this but I'm encouraged by their interest in a
> demo.
> There are at least three people on the thread who are familiary with
> SAML/OIDC who are interested in supporting this service.

You are opting in to maintain three monsters:
- Java
- Wildfly
- Keycloak

> > What isn't so great
> > - no particular good admin interface (there are 40+ settings for each
> >   OIDC client alone)
> 
> Nearly all of those settings are auto-populated by exchanging metadata.
> In SAML, the SP and the IdP exchange XML documents containing the
> metadata. Tedious but works.  In OIDC, the SPI and the IdP point to each
> other's 'well-known' configuration URLs to pull in the metadata. The
> OIDC folks learned from SAML.

No, Keycloak is running as OIDC server in this case, so it _provides_
all the settings via the metadata discovery mechanism.

It's just that the existence of most of those options negates the
possibility to allow a random user to use it safely.

> > - it can have forms without a required field, which can't be saved at
> >   all.
> Not sure what you're describing, here.

Just random bugs.

- Enable "email as username"
- Try to add a user by admin interface

> > - requires Java 8, which is not supported on Debian Buster
> 
> This isn't true. I'm running keycloak in a demo for work using openjdk-11-jre-headless. Their documentation would do well to say Java 8 or later.

The latest installation doc is pretty specific:

https://www.keycloak.org/docs/latest/server_installation/#system-requirements

Regards,
Bastian

-- 
Another Armenia, Belgium ... the weak innocents who always seem to be
located on a natural invasion route.
		-- Kirk, "Errand of Mercy", stardate 3198.4

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Luca Filipozzi <lfilipoz@debian.org>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread