On Wed, Apr 08, 2020 at 05:28:37PM +0200, Enrico Zini wrote: > On Wed, Apr 08, 2020 at 03:00:31PM +0000, Luca Filipozzi wrote: > > > > Question: is there something in the proposed Salsa plan that somehow > > > blocks experimenting with, introducing, or migrating to Keycloak in the > > > future? > > > > The further we go down one path, the harder, in my opinion, to change > > later. > > I think we're not really going "down one path": we're trying to dig > ourselves "out of one pit". > > I'll have to repeat the question: is there something specific in the > proposed Salsa plan, that somehow blocks experimenting with, > introducing, or migrating to Keycloak or some other solution in the > future?
I think introduction of the broker is the compelling use case. I appreciate that you may not view that as sufficient compelling. Additionally, I'd prefer keeping SPs separate from IdPs, have them speak to each other using standard protocols, etc. I don't view making Gitlab an IdP as appropriate. > From what I can see so far, we're starting a migration to OIDC, removing > one of 3 user databases, adopting more standards, and doing some general > cleanup along the way, which makes me think Salsa could be considered an > iterative step towards a migration to anything else. Very good outcomes, to be sure. > If you're instead generally expressing a fear that once we migrate to > Salsa, we'll be in a local optimum that is going to be considered good > enough to be worth bothering migrating to anything else, then I would > argue that the problem wouldn't be having moved to Salsa as an OIDC > provider, and rather that the next step that is proposed wouldn't be > bringing enough compelling advantages to the problem at hand. Indeed, a local optimum is worrisome. -- Luca Filipozzi
