Bug#984999: sso.debian.org is deprecated

To: Raphael Hertzog <hertzog@debian.org>, 984999@bugs.debian.org
Cc: Antoine Beaupre <anarcat@debian.org>
Subject: Bug#984999: sso.debian.org is deprecated
From: Mattia Rizzolo <mattia@debian.org>
Date: Fri, 12 Mar 2021 13:59:58 +0100
Message-id: <[🔎] YEtlzhvW34FlCsTL@mapreri.org>
Reply-to: Mattia Rizzolo <mattia@debian.org>, 984999@bugs.debian.org
In-reply-to: <[🔎] YEtjMN9I+VKJL7Wr@t14-buxy.home.ouaza.com>
References: <[🔎] 161548731267.30569.15577352266659362050.reportbug@curie.anarc.at> <[🔎] 161548731267.30569.15577352266659362050.reportbug@curie.anarc.at> <[🔎] YEtjMN9I+VKJL7Wr@t14-buxy.home.ouaza.com> <[🔎] 161548731267.30569.15577352266659362050.reportbug@curie.anarc.at>

On Fri, Mar 12, 2021 at 01:48:48PM +0100, Raphael Hertzog wrote:
> On Thu, 11 Mar 2021, Antoine Beaupre wrote:
> > According to the sso.debian.org wiki page, the service is
> > "deprecated":
> > 
> > > If you are a service admin please look into using Salsa for this
> > > purpose. <https://wiki.debian.org/Salsa/SSO>

I'm oh so much looking forward to what we'll do in 5-10 years when salsa
will suddenly become deprecated as well :/

> Yeah, but I don't see a reason to disable this until someone has
> contributed OIDC authentication with salsa.debian.org.
> 
> I haven't even looked at what it entails. We don't seem to have
> pyoidc in Debian (https://github.com/rohe/pyoidc) and I don't see
> any other Python implementation.
> 
> I wonder what nm.debian.org uses for this.

enrico developed this actually very nice piece of code that allow to
associate "identities" to accounts, effectively providing multiple login
methods.  It's actually incredibly simple, though of course it could do
with a few improvements here and there…
https://salsa.debian.org/nm-team/nm.debian.org/-/tree/master/signon
That's also used by contributors.d.o and debtags.d.n, so we were
thinking of splitting the "app" out of them to reduce the duplication.

Incidentally, the fact that the salsa admins decided to not force
account names with -guest anymore, also means that you can't easily
associate salsa accounts to DDs anymore, and AFAIK there is no good way
to establish that as of now (the nm API is not publicly advertising the
salsa accounts details of DDs ATM (that's part of a private API for
salsa only though), and of course the salsa admins don't fancy patching
gitlab to expose that detail).
So, even if you implemented the above thing, associating everybody's
salsa "identities" to their already existing tracker.d.o accounts would
prove incredibly difficult.  Good luck.

> > Apparently, you can still generate client-sides certs with "web
> > crypto", whatever that means... But that's kind of out of scope here. 
> 
> I managed to renew my certificate by following the instructions
> on sso.debian.org at least.

chrome also hasn't supported online keygen for years, but I argue it's
still trivial to get a certificate.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#984999: sso.debian.org is deprecated
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- Bug#984999: sso.debian.org is deprecated
  - From: Antoine Beaupre <anarcat@debian.org>
- Bug#984999: sso.debian.org is deprecated
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Bug#984999: sso.debian.org is deprecated
Next by Date: Bug#984999: sso.debian.org is deprecated
Previous by thread: Bug#984999: sso.debian.org is deprecated
Next by thread: Bug#984999: sso.debian.org is deprecated
Index(es):
- Date
- Thread