Le 07/04/2020 à 17:20, Paul Wise a écrit : > On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote: > >> ## Highlevel plan > > I'd like to learn a bit about what the effects for Debian account > holders and service admins will be. > >> - Salsa becomes primary source of user info and authentication for secondary >> services via OpenID Connect (OAuth2), for both DDs and non-DDs, replacing >> sso.debian.org. > > It sounds like the answer is no, but does Salsa, Keycloak or > LemonLDAP::NG support TLS client certs?
LLNG and KeyCloack support TLS authentication, 2FA,... See https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases for a complete list of LLNG supported authentication mechanisms > So it sounds like Debian would be switching our SSO authentication > protocol from TLS client certs directly supported by TLS clients to > something based on HTTP redirects, referrers and cookies and that > requires a browser in order to login? Authentication gives an "authenticationLevel". You can restrict some applications to TLS, some other to "password+2FA or TLS" and authorize some other to use simple authentication > It seems like one side effect of the protocol change is that login > events are centralised on the SSO service rather than at each > individual service. > > Is there anything else that account holders need to be aware of? > >> - nm.debian.org uses Salsa usernames by default to populate LDAP usernames >> when >> creating accounts, and stores OIDC subject to strongly correlate between >> Salsa and Debian LDAP users. Application profiles can be managed by SSO (give profile to app and/or restrict some URL to a particular group [handler/GateKeeper only]) > Is it intended that service maintainers each implement OpenID Connect > etc within their service code using existing libraries, or should we > use something like the mod_auth_openidc Apache module to pass > authentication details to service code. Both are possible but handler/GateKeeper can do the job > https://github.com/zmartzone/mod_auth_openidc > > Can services using non-HTTP protocols be authenticated with OpenID Connect > etc? > > Is it intended that there be moderation at account creation time? In > our experience with the Debian wiki, a large amount of spammers > attempt to sign up. I hear that Salsa gets a lot of spammers signing > up too and those are manually cleaned up if they do something spammy. Yes, possible > For the wiki we found the best way to prevent spammers from signing up > is human moderation. Even that doesn't always help as I've let > spammers sign up before based on the content of their signup emails, > but it is a good start. One very nice aspect of the wiki signup > moderation is that the team can respond to aspects of the signup > email, welcoming the applicant with pointers to documentation, > suggestions of ideas on how to help, mailing lists to join and so on. > > Is there anything else that service admins need to be aware of?
