Differences between revisions 6 and 7
Revision 6 as of 2017-10-24 07:28:08
Size: 2537
Editor: ?MichaelStapelberg
Comment:
Revision 7 as of 2017-10-24 16:05:51
Size: 2520
Editor: ?MichaelStapelberg
Comment:
Deletions are marked like this. Additions are marked like this.
Line 46: Line 46:
stapelberg@ is currently packaging dex for Debian, see #879562, but that doesn’t need to block us: because it’s implemented in Go, dex comes as a static binary which can be copied to sso.debian.org. stapelberg@ is currently packaging dex for Debian, see #879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).

This page tracks the remaining work to make salsa.debian.org authenticate against sso.debian.org so that Debian Developers can easily log in without maintaining a separate account. Guest accounts should be possible, too.

  • Make GitLab authenticate against sso.debian.org

    • Anything which ?OmniAuth supports is fine. This includes OAuth2, SAML, Shibboleth.

    • we should use an existing oauth2 module, nothing custom
  • Have guest accounts available through sso.debian.org
    • TODO: ask luca about the status of the user management trial setup
    • as a fallback: enrico could implement basic user management/enrollment in sso.d.o

2017-10-24 suggestion to deploy dex on sso.debian.org

stapelberg@ would like to deploy https://github.com/coreos/dex on sso.debian.org.

dex, in a nutshell, is an OpenID Connect (OIDC) provider with pluggable backends. In other words, it can authenticate against Apache basic auth, LDAP, other OAuth backends, ….

The idea is to have GitLab and other Debian web apps authenticate against dex.

In terms of technical changes, we’d need a new location config in apache2, similar to this:

        <Location /dex/>
                ProxyPass "http://localhost:5556/dex/"
                ProxyPassReverse "http://localhost:5556/dex/"
        </Location>

        <Location /dex/callback/webPassword>
                AuthType Basic
                AuthName "db.debian.org webPassword"
                AuthBasicProvider file
                AuthUserFile "/var/lib/misc/thishost/web-passwords"
                Require valid-user

                # Defense in depth: clear the Authorization header so that
                # Debian Web Passwords never even reach dex.
                RequestHeader unset Authorization

                # Requires Apache 2.4.10+
                RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org

                ProxyPass "http://localhost:5556/dex/callback/webPassword"
                ProxyPassReverse "http://localhost:5556/dex/callback/webPassword"
        </Location>

stapelberg@ is currently packaging dex for Debian, see #879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).