PSC Vote: Let's move this list to discourse

Greg Troxel gdt at lexort.com
Sat Jan 6 04:46:56 PST 2024 

Sandro Santilli <strk at kbt.io> writes:

> On Fri, Jan 05, 2024 at 01:36:02PM -0500, Greg Troxel wrote:
>> Jody Garnett <jody.garnett at gmail.com> writes:
>> 
>> > For lists focused on public interaction like marketing it is an advantage
>> > to have GitHub login (and others). We are a public service outreach
>> > organization after all :)
>> 
>> If github is supported, it should be via 'use your openid auth provider'
>> where you can type in any and it's just an example.  github is already
>> more than dominant enough to have crossed into harmful, in that if you
>> do something not on github, people demand that you justify it.
>
> I agree on this.
>
> I didn't find a way for Discourse to let you use an arbitrary openid
> provider. But earlier today I had configured it to let you login via
> gitea.com on which you can login using OpenID-2.0, which is the protocol
> allowing you to use your own openid auth provider:
>
>     https://gitea.com/user/login/openid
>
> Unfortunately the Discourse "OpenID-Connect" plugin doesn't seem to
> let you add an arbitrary number of authentication sources so we're
> stuck of either pick gitea.com OR git.osgeo.org/gitea as the
> authentication providers, so at the moment I went with ours (which
> does not allow OpenID-2.0 sign-in).
>
> What we can do:
>
>   1. Implement IndieAuth plugin for Discourse
>      https://meta.discourse.org/t/indieauth-login/48182
>
>   2. Implement OpenID-2.0 plugin for Discourse
>
>   3. Enable OpenID-2.0 support in the OSGeo Gitea and use that

That makes sense to me.  It is reasonable for osgeo to own its own main
auth provider and to let people use openid with it.  The gitea.com
instance is like github except it isn't big enough to be as problematic,
which goes with not being big enough to be widely useful.

> I never understood if OpenID-Connect could possibly work with an
> arbitrary URI as my understanding is that you are supposed to share
> a secret with the identity provider, which cannot possibly be the
> case with arbitrary URIs.

I wonder why if you can validate the connection over https.

(It's on my list to understand all of this but so far I am hazy.)


Here's a trip report from me trying to log into discourse for the first
time:

  sign up button:

    1) has github explicitly, which I don't think is ok

    2) has "LDAP", but ldap is a protocol not an auth provider.  I am
    guessing that this is the central auth for osgeo accounts which is
    what osgeo gitea uses.  Seems to involve sending password to
    discourse, which is a PoLP violation.

    3) osgeo gitea seems to work but after username/password (from password
    manager from osgeo account), I get

        Authorize "OSGeo Discourse" to access your account?

        If you grant the access, it will be able to access and write to
        all your account information, including private repos and
        organisations.  This application was created by @sac.

        You will be redirected to
        https://discourse.osgeo.org/auth/oidc/callback if you authorize
        this application.

   and there is no reason for discourse to write to gitea.   So this
   should be some more limited permissions.

   4) github asks

    OSGeo Discourse by Open Source Geospatial Foundation
    wants to access your gdt account
    Personal user data
    Email addresses (read-only)

   which is ok, except github

More information about the Sac mailing list