What we need to accomplish

Some new web services are popping up with relation to Debian packages (QA web interface, meta data management, debtags tagging). All those services should access the same authentication provider, serving a central database of usernames, authentication tokens and email addresses.

There are two approaches:

Using Alioth

Alioth already provides a user database of Debian Developers and normal users (which have their username suffixed with "-guest"), together with their email addresses. An authentication interface could be written to enable third-party sites to authenticate against this service without giving out the passwords.

Build a new authentication service

Techniques

A secure way of authentication would be a central web interface where all users are sent to from 3rd party sites. It will takeover the password verification part (SSL secured) and send the users back to the site they came from. On successful authentication a sub-request will be started from the authentication gateway to the 3rd party site confirming the login for the specified session.

The database should only provide RPC calls to check for a valid login, to create new users and to change metadata but should not give out raw authentication tokens.