This page tracks the remaining work to make salsa.debian.org authenticate against sso.debian.org so that Debian Developers can easily log in without maintaining a separate account. Guest accounts should be possible, too.

2017-10-24 suggestion to deploy dex on sso.debian.org

stapelberg@ would like to deploy https://github.com/coreos/dex on sso.debian.org.

dex, in a nutshell, is an OpenID Connect (OIDC) provider with pluggable backends. In other words, it can authenticate against Apache basic auth, LDAP, other OAuth backends, ….

The idea is to have GitLab and other Debian web apps authenticate against dex.

In terms of technical changes, we’d need a new location config in apache2, similar to this:

        <Location /dex/>
                ProxyPass "http://localhost:5556/dex/"
                ProxyPassReverse "http://localhost:5556/dex/"
        </Location>

        <Location /dex/callback/webPassword>
                AuthType Basic
                AuthName "db.debian.org webPassword"
                AuthBasicProvider file
                AuthUserFile "/var/lib/misc/thishost/web-passwords"
                Require valid-user

                # Defense in depth: clear the Authorization header so that
                # Debian Web Passwords never even reach dex.
                RequestHeader unset Authorization

                # Requires Apache 2.4.10+
                RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org

                ProxyPass "http://localhost:5556/dex/callback/webPassword"
                ProxyPassReverse "http://localhost:5556/dex/callback/webPassword"
        </Location>

stapelberg@ is currently packaging dex for Debian, see 879562, but that doesn’t need to block us: we can build dex on sso.d.o for the time being (requires golang-go to be installed).