On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote: > ## Highlevel plan
I'd like to learn a bit about what the effects for Debian account holders and service admins will be. > - Salsa becomes primary source of user info and authentication for secondary > services via OpenID Connect (OAuth2), for both DDs and non-DDs, replacing > sso.debian.org. It sounds like the answer is no, but does Salsa, Keycloak or LemonLDAP::NG support TLS client certs? So it sounds like Debian would be switching our SSO authentication protocol from TLS client certs directly supported by TLS clients to something based on HTTP redirects, referrers and cookies and that requires a browser in order to login? It seems like one side effect of the protocol change is that login events are centralised on the SSO service rather than at each individual service. Is there anything else that account holders need to be aware of? > - nm.debian.org uses Salsa usernames by default to populate LDAP usernames > when > creating accounts, and stores OIDC subject to strongly correlate between > Salsa and Debian LDAP users. Is it intended that service maintainers each implement OpenID Connect etc within their service code using existing libraries, or should we use something like the mod_auth_openidc Apache module to pass authentication details to service code. https://github.com/zmartzone/mod_auth_openidc Can services using non-HTTP protocols be authenticated with OpenID Connect etc? Is it intended that there be moderation at account creation time? In our experience with the Debian wiki, a large amount of spammers attempt to sign up. I hear that Salsa gets a lot of spammers signing up too and those are manually cleaned up if they do something spammy. For the wiki we found the best way to prevent spammers from signing up is human moderation. Even that doesn't always help as I've let spammers sign up before based on the content of their signup emails, but it is a good start. One very nice aspect of the wiki signup moderation is that the team can respond to aspects of the signup email, welcoming the applicant with pointers to documentation, suggestions of ideas on how to help, mailing lists to join and so on. Is there anything else that service admins need to be aware of? -- bye, pabs https://wiki.debian.org/PaulWise
