PSC Vote: Let's move this list to discourse
Greg Troxel
gdt at lexort.com
Sat Jan 6 04:46:56 PST 2024
Sandro Santilli <strk at kbt.io> writes:
> On Fri, Jan 05, 2024 at 01:36:02PM -0500, Greg Troxel wrote:
>> Jody Garnett <jody.garnett at gmail.com> writes:
>>
>> > For lists focused on public interaction like marketing it is an advantage
>> > to have GitHub login (and others). We are a public service outreach
>> > organization after all :)
>>
>> If github is supported, it should be via 'use your openid auth provider'
>> where you can type in any and it's just an example. github is already
>> more than dominant enough to have crossed into harmful, in that if you
>> do something not on github, people demand that you justify it.
>
> I agree on this.
>
> I didn't find a way for Discourse to let you use an arbitrary openid
> provider. But earlier today I had configured it to let you login via
> gitea.com on which you can login using OpenID-2.0, which is the protocol
> allowing you to use your own openid auth provider:
>
> https://gitea.com/user/login/openid
>
> Unfortunately the Discourse "OpenID-Connect" plugin doesn't seem to
> let you add an arbitrary number of authentication sources so we're
> stuck of either pick gitea.com OR git.osgeo.org/gitea as the
> authentication providers, so at the moment I went with ours (which
> does not allow OpenID-2.0 sign-in).
>
> What we can do:
>
> 1. Implement IndieAuth plugin for Discourse
> https://meta.discourse.org/t/indieauth-login/48182
>
> 2. Implement OpenID-2.0 plugin for Discourse
>
> 3. Enable OpenID-2.0 support in the OSGeo Gitea and use that
That makes sense to me. It is reasonable for osgeo to own its own main
auth provider and to let people use openid with it. The gitea.com
instance is like github except it isn't big enough to be as problematic,
which goes with not being big enough to be widely useful.
> I never understood if OpenID-Connect could possibly work with an
> arbitrary URI as my understanding is that you are supposed to share
> a secret with the identity provider, which cannot possibly be the
> case with arbitrary URIs.
I wonder why if you can validate the connection over https.
(It's on my list to understand all of this but so far I am hazy.)
Here's a trip report from me trying to log into discourse for the first
time:
sign up button:
1) has github explicitly, which I don't think is ok
2) has "LDAP", but ldap is a protocol not an auth provider. I am
guessing that this is the central auth for osgeo accounts which is
what osgeo gitea uses. Seems to involve sending password to
discourse, which is a PoLP violation.
3) osgeo gitea seems to work but after username/password (from password
manager from osgeo account), I get
Authorize "OSGeo Discourse" to access your account?
If you grant the access, it will be able to access and write to
all your account information, including private repos and
organisations. This application was created by @sac.
You will be redirected to
https://discourse.osgeo.org/auth/oidc/callback if you authorize
this application.
and there is no reason for discourse to write to gitea. So this
should be some more limited permissions.
4) github asks
OSGeo Discourse by Open Source Geospatial Foundation
wants to access your gdt account
Personal user data
Email addresses (read-only)
which is ok, except github
More information about the Sac
mailing list