Differences between revisions 8 and 9
Revision 8 as of 2017-10-24 16:12:08
Size: 2529
Editor: ?MichaelStapelberg
Revision 9 as of 2017-10-24 18:31:35
Size: 2485
Editor: ?MichaelStapelberg
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
  * TODO: ask luca about the status of the user management trial setup
  * as a fallback: enrico could implement basic user management/enrollment in sso.d.o
  * Guest accounts should most likely be stored in KeyCloak.
   * TODO(stapelberg): test setup of dex + KeyCloak

This page tracks the remaining work to make salsa.debian.org authenticate against sso.debian.org so that Debian Developers can easily log in without maintaining a separate account. Guest accounts should be possible, too.

  • Make ?GitLab authenticate against sso.debian.org

    • Anything which ?OmniAuth supports is fine. This includes OAuth2, SAML, Shibboleth.

    • we should use an existing oauth2 module, nothing custom
  • Have guest accounts available through sso.debian.org
    • Guest accounts should most likely be stored in ?KeyCloak.

      • TODO(stapelberg): test setup of dex + ?KeyCloak

2017-10-24 suggestion to deploy dex on sso.debian.org

stapelberg@ would like to deploy https://github.com/coreos/dex on sso.debian.org.

dex, in a nutshell, is an OpenID Connect (OIDC) provider with pluggable backends. In other words, it can authenticate against Apache basic auth, LDAP, other OAuth backends, ….

The idea is to have ?GitLab and other Debian web apps authenticate against dex.

In terms of technical changes, we’d need a new location config in apache2, similar to this:

        <Location /dex/>
                ProxyPass "http://localhost:5556/dex/"
                ProxyPassReverse "http://localhost:5556/dex/"

        <Location /dex/callback/webPassword>
                AuthType Basic
                AuthName "db.debian.org webPassword"
                AuthBasicProvider file
                AuthUserFile "/var/lib/misc/thishost/web-passwords"
                Require valid-user

                # Defense in depth: clear the Authorization header so that
                # Debian Web Passwords never even reach dex.
                RequestHeader unset Authorization

                # Requires Apache 2.4.10+
                RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org

                ProxyPass "http://localhost:5556/dex/callback/webPassword"
                ProxyPassReverse "http://localhost:5556/dex/callback/webPassword"

stapelberg@ is currently packaging dex for Debian, see 879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).