Differences between revisions 9 and 10
Revision 9 as of 2017-10-24 18:31:35
Size: 2485
Editor: ?MichaelStapelberg
Comment:
Revision 10 as of 2018-02-23 18:52:44
Size: 2665
Editor: ?GeertStappers
Comment: Added "See Also"
Deletions are marked like this. Additions are marked like this.
Line 47: Line 47:

= See Also =

 * https://wiki.debian.org/SummerOfCode2018/Projects/NewDebianSSO
 * http://blog.liw.fi/posts/2018/02/09/qvisqve_-_an_authorisation_server_first_alpha_release/

This page tracks the remaining work to make salsa.debian.org authenticate against sso.debian.org so that Debian Developers can easily log in without maintaining a separate account. Guest accounts should be possible, too.

  • Make GitLab authenticate against sso.debian.org

    • Anything which ?OmniAuth supports is fine. This includes OAuth2, SAML, Shibboleth.

    • we should use an existing oauth2 module, nothing custom
  • Have guest accounts available through sso.debian.org
    • Guest accounts should most likely be stored in ?KeyCloak.

      • TODO(stapelberg): test setup of dex + ?KeyCloak

2017-10-24 suggestion to deploy dex on sso.debian.org

stapelberg@ would like to deploy https://github.com/coreos/dex on sso.debian.org.

dex, in a nutshell, is an OpenID Connect (OIDC) provider with pluggable backends. In other words, it can authenticate against Apache basic auth, LDAP, other OAuth backends, ….

The idea is to have GitLab and other Debian web apps authenticate against dex.

In terms of technical changes, we’d need a new location config in apache2, similar to this:

        <Location /dex/>
                ProxyPass "http://localhost:5556/dex/"
                ProxyPassReverse "http://localhost:5556/dex/"
        </Location>

        <Location /dex/callback/webPassword>
                AuthType Basic
                AuthName "db.debian.org webPassword"
                AuthBasicProvider file
                AuthUserFile "/var/lib/misc/thishost/web-passwords"
                Require valid-user

                # Defense in depth: clear the Authorization header so that
                # Debian Web Passwords never even reach dex.
                RequestHeader unset Authorization

                # Requires Apache 2.4.10+
                RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org

                ProxyPass "http://localhost:5556/dex/callback/webPassword"
                ProxyPassReverse "http://localhost:5556/dex/callback/webPassword"
        </Location>

stapelberg@ is currently packaging dex for Debian, see 879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).

See Also