Jody Garnett <jody.garnett@gmail.com> writes:
For lists focused on public interaction like marketing it is an advantage
to have GitHub login (and others). We are a public service outreach
organization after all
If github is supported, it should be via 'use your openid auth provider'
where you can type in any and it's just an example. github is already
more than dominant enough to have crossed into harmful, in that if you
do something not on github, people demand that you justify it.
On Fri, Jan 05, 2024 at 01:36:02PM -0500, Greg Troxel wrote:
Jody Garnett <jody.garnett@gmail.com> writes:
> For lists focused on public interaction like marketing it is an advantage
> to have GitHub login (and others). We are a public service outreach
> organization after allIf github is supported, it should be via 'use your openid auth provider'
where you can type in any and it's just an example. github is already
more than dominant enough to have crossed into harmful, in that if you
do something not on github, people demand that you justify it.
I agree on this.
I didn't find a way for Discourse to let you use an arbitrary openid
provider. But earlier today I had configured it to let you login via
gitea.com on which you can login using OpenID-2.0, which is the protocol
allowing you to use your own openid auth provider:
Sign In - Gitea: Git with a cup of tea
Unfortunately the Discourse "OpenID-Connect" plugin doesn't seem to
let you add an arbitrary number of authentication sources so we're
stuck of either pick gitea.com OR git.osgeo.org/gitea as the
authentication providers, so at the moment I went with ours (which
does not allow OpenID-2.0 sign-in).
What we can do:
1. Implement IndieAuth plugin for Discourse
IndieAuth login - feature - Discourse Meta
2. Implement OpenID-2.0 plugin for Discourse
3. Enable OpenID-2.0 support in the OSGeo Gitea and use that
I never understood if OpenID-Connect could possibly work with an
arbitrary URI as my understanding is that you are supposed to share
a secret with the identity provider, which cannot possibly be the
case with arbitrary URIs.
--strk;
Sandro Santilli <strk@kbt.io> writes:
On Fri, Jan 05, 2024 at 01:36:02PM -0500, Greg Troxel wrote:
Jody Garnett <jody.garnett@gmail.com> writes:
> For lists focused on public interaction like marketing it is an advantage
> to have GitHub login (and others). We are a public service outreach
> organization after allIf github is supported, it should be via 'use your openid auth provider'
where you can type in any and it's just an example. github is already
more than dominant enough to have crossed into harmful, in that if you
do something not on github, people demand that you justify it.I agree on this.
I didn't find a way for Discourse to let you use an arbitrary openid
provider. But earlier today I had configured it to let you login via
gitea.com on which you can login using OpenID-2.0, which is the protocol
allowing you to use your own openid auth provider:Sign In - Gitea: Git with a cup of tea
Unfortunately the Discourse "OpenID-Connect" plugin doesn't seem to
let you add an arbitrary number of authentication sources so we're
stuck of either pick gitea.com OR git.osgeo.org/gitea as the
authentication providers, so at the moment I went with ours (which
does not allow OpenID-2.0 sign-in).What we can do:
1. Implement IndieAuth plugin for Discourse
IndieAuth login - feature - Discourse Meta2. Implement OpenID-2.0 plugin for Discourse
3. Enable OpenID-2.0 support in the OSGeo Gitea and use that
That makes sense to me. It is reasonable for osgeo to own its own main
auth provider and to let people use openid with it. The gitea.com
instance is like github except it isn't big enough to be as problematic,
which goes with not being big enough to be widely useful.
I never understood if OpenID-Connect could possibly work with an
arbitrary URI as my understanding is that you are supposed to share
a secret with the identity provider, which cannot possibly be the
case with arbitrary URIs.
I wonder why if you can validate the connection over https.
(It's on my list to understand all of this but so far I am hazy.)
Here's a trip report from me trying to log into discourse for the first
time:
sign up button:
1) has github explicitly, which I don't think is ok
2) has "LDAP", but ldap is a protocol not an auth provider. I am
guessing that this is the central auth for osgeo accounts which is
what osgeo gitea uses. Seems to involve sending password to
discourse, which is a PoLP violation.
3) osgeo gitea seems to work but after username/password (from password
manager from osgeo account), I get
Authorize "OSGeo Discourse" to access your account?
If you grant the access, it will be able to access and write to
all your account information, including private repos and
organisations. This application was created by @sac.
You will be redirected to
OSGeo Discourse if you authorize
this application.
and there is no reason for discourse to write to gitea. So this
should be some more limited permissions.
4) github asks
OSGeo Discourse by Open Source Geospatial Foundation
wants to access your gdt account
Personal user data
Email addresses (read-only)
which is ok, except github
further trip report.
using ldap to sign up, I am prompted to agree to a privacy policy, which
seems more or less ok, but it's a non-edited template, and presumably
there is some higher-level osgeo policy and I would think there would
just be one.
In Terms, it says they don't apply, but in the boilerplate it has
You agree to indemnify the company from legal claims by others related
to your breach of these terms, or breach of these terms by others
using your account on the forum.
which is totally ridiculous.
After logging in, I see that github is listed as 'associated account'
with a connect button, but I never authorized it. Probably clicking
login-with left some state it shouldn't have.
Sorry for this very long email. I am happy to see we are discussing all of
this even though I'm a little disappointed this group is not interested in
migrating this list.
Here's a trip report from me trying to log into discourse for the first
time:sign up button:
1) has github explicitly, which I don't think is ok
2) has "LDAP", but ldap is a protocol not an auth provider. I am
guessing that this is the central auth for osgeo accounts which is
what osgeo gitea uses. Seems to involve sending password to
discourse, which is a PoLP violation.
I'm thinking we can get rid of LDAP, as it would be redundant with OSGeo
Gitea
And just rename the OSGeo Gitea one just - OSGeo.
But that said, I guess we have the same PoLP issue with our other services
like
Gitea, wiki.osgeo.org, nextcloud.osgeo.org, weblate.osgeo.org,
video.osgeo.org
So that is a much larger topic than just discourse.
3) osgeo gitea seems to work but after username/password (from
password
manager from osgeo account), I get
Authorize "OSGeo Discourse" to access your account?
If you grant the access, it will be able to access and write to
all your account information, including private repos and
organisations. This application was created by @sac.You will be redirected to
OSGeo Discourse if you authorize
this application.and there is no reason for discourse to write to gitea. So this
should be some more limited permissions.
Hmm I don't get that message, but maybe cause I already approved.
What does concern me though, is after I disconnect OSGeo Gitea, I would
expect it to prompt for
the same approval but it does not. If I choose to log in via OSGeo Gitea
again after removing the connection
, it just lets me in and my discourse profile shows the "connected" with
OSGeo gitea again.
Not sure if that is a bug or not or maybe I have to go into gitea somewhere
and remove the approval, but not seeing that anywhere under my gitea
settings.
4) github asks
OSGeo Discourse by Open Source Geospatial Foundation
wants to access your gdt account
Personal user data
Email addresses (read-only)which is ok, except github
My main annoyance here is that Github is above OSGeo, I'd like to move it
below, but haven't found where that is or if it is not currently possible.
But I think having github there is a necessary evil for now. Until the ease
with which we can allow people to create OSGeo accounts is lifted and we can
lock down what OSGeo accounts do on a more granular level -- e.g OSGeo
accounts have only one big level (accounts with shell access) and all other
accounts. Sure we have groups we can manage, but that is just another
maintenance nightmare to lock things down based on groups for each app. Also
I don't think our groups are setup right in LDAP. Something I want to
change once I upgrade LDAP this year.
Next is the local registration piece, do we keep that or not. I'm torn on
that decision as I can think of good reasons for both.
If people don't have an OSGeo account or github accounts or for whatever
reason don't want to use those accounts for discourse correspondence, that
is a disservice to them not to have that feature. I for example use it for
a local admin account (similar to what I have with www.osgeo.org) so if LDAP
is broken (e.g. misconfiguration on my part, LDAP broken) I can still log in
and fix things.
My main reason for wanting to remove the registration and local login option
is it's confusing, as Markus Neteler had mentioned when I sent him an
invite.
I've been struggling to change that invite message, but can't find where it
is, and there seems to be no way I have found, to relegate that login screen
unless you disable it altogether.
There is also some concern as Martin had brought up about being in the same
mess as we were with wiki and osgeo.org sites that both started off with
their own auth and merging accounts proved to be a nightmare.
I'm much less concerned with that with discourse because , its strategy
seems to be different. Ultimately it seems to go by email addresses and
allows for infinite aliases for email addresses.
So you could in theory login with your LDAP, your Gitea, or your Github
account all to the same account as long as it confirms the email addresses
match one of the email addresses registered to that account.
So for example my LDAP has a different email from my Gitea, but both map to
my same account because my gitea email is an alias in discourse.
But that said if people have OSGeo accounts, we would want to encourage them
to use them.
I also see discourse as a first pass into OSGeo. You might want to stay for
a cup of coffee and never come back. I don't want our LDAP cluttered with
all these casual passers by at least until we have our expiration system in
place.
Maybe we'd have a category like "Getting more involved with OSGeo" where
people can ask questions about OSGeo membership and involvement and talk
about areas where they might want to get involved before they make the step
to asking for an OSGeo account.
Thanks,
Regina
On January 6, 2024 1:46:56 PM GMT+01:00, Greg Troxel <gdt@lexort.com> wrote:
Authorize "OSGeo Discourse" to access your account?
If you grant the access, it will be able to access and write to
all your account information, including private repos and
organisations. This application was created by @sac.
[...]
and there is no reason for discourse to write to gitea. So this
should be some more limited permissions.
I think this is the relevant upstream ticket:
--
Sent from hand-held device with K-9 Mail. Please excuse my brevity.
Reply inline
On January 6, 2024 3:01:17 PM GMT+01:00, Greg Troxel <gdt@lexort.com> wrote:
further trip report.
. Probably clicking
login-with left some state it shouldn't have
Could you please file a ticket for this on https://trac.osgeo.org ? Feel free to also file the one for reduced scope of the Gitea auth token.
--
Sent from hand-held device with K-9 Mail. Please excuse my brevity.
Reply is inline
On January 7, 2024 4:33:12 AM GMT+01:00, Regina Obe <lr@pcorp.us> wrote:
I guess we have the same PoLP issue with our other services
This is the reason why we should have a dedicated service just for authenticatio, which is what this ticket is about:
https://trac.osgeo.org/osgeo/ticket/1824
--
Sent from hand-held device with K-9 Mail. Please excuse my brevity.
Reply inline (I'm splitting the long email into threads)
On January 7, 2024 4:33:12 AM GMT+01:00, Regina Obe <lr@pcorp.us> wrote:
maybe I have to go into gitea somewhere
and remove the approval, but not seeing that anywhere under my gitea
settings.
--
Sent from hand-held device with K-9 Mail. Please excuse my brevity.
> maybe I have to go into gitea somewhere and remove the approval, but
>not seeing that anywhere under my gitea settings.Sign In - OSGeo Git Services: Gitea - Git with a cup of tea
--
Sent from hand-held device with K-9 Mail. Please excuse my brevity.
[Regina Obe]
Okay that worked though it gave me a 500 when I tried to relogin in with it.
I had to refresh the page, but then it was fine.
But I see the message now that Greg was talking about. So that is an issue.
Also when I reauthorize, it gave me a 500 again and then I had to refresh for the login to take effect.
Though it did all work.
So we should sort this out before we encourage it's use.
On Mon, Jan 08, 2024 at 12:52:06AM -0500, Regina Obe wrote:
Also when I reauthorize, it gave me a 500 again and then I had to refresh for the login to take effect.
Though it did all work.So we should sort this out before we encourage it's use.
Can you please file a trac ticket under the SysAdmin/Discourse
category ? Do we have any other existing service that can play
the OpenID-Connect authentication provider ?
I think a focused service would be the best solution for now:
#1824 (Setup an OpenID provider using the LDAP database as input) – OSGeo
Then all the new services could use that as a backand and reduce
the spreading of username/password pairs.
--strk;
Libre GIS consultant/developer
strk's services
