This page tracks the remaining work to make authenticate against so that Debian Developers can easily log in without maintaining a separate account. Guest accounts should be possible, too.

2017-10-24 suggestion to deploy dex on

stapelberg@ would like to deploy on

dex, in a nutshell, is an OpenID Connect (OIDC) provider with pluggable backends. In other words, it can authenticate against Apache basic auth, LDAP, other OAuth backends, ….

The idea is to have ?GitLab and other Debian web apps authenticate against dex.

In terms of technical changes, we’d need a new location config in apache2, similar to this:

        <Location /dex/>
                ProxyPass "http://localhost:5556/dex/"
                ProxyPassReverse "http://localhost:5556/dex/"

        <Location /dex/callback/webPassword>
                AuthType Basic
                AuthName " webPassword"
                AuthBasicProvider file
                AuthUserFile "/var/lib/misc/thishost/web-passwords"
                Require valid-user

                # Defense in depth: clear the Authorization header so that
                # Debian Web Passwords never even reach dex.
                RequestHeader unset Authorization

                # Requires Apache 2.4.10+
                RequestHeader set X-Remote-User expr=%{REMOTE_USER}

                ProxyPass "http://localhost:5556/dex/callback/webPassword"
                ProxyPassReverse "http://localhost:5556/dex/callback/webPassword"

stapelberg@ is currently packaging dex for Debian, see 879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).