Board to vote on the mantra requirement

Mon Jun 15 10:39:34 PDT 2026

"Regina Obe" <lr at pcorp.us> writes:

>> On the technical side, I'd be very favorable in deploying Keycloack as a Single
>> Sign On solution, to allow services provided by OSGeo and by others to accept
>> the "OSGeo Passport" in addition to other passports they may choose to
>> support, but I think there's still a value in the effort it takes to obtain such
>> "OSGeo Passport" and that removing that barrier would reduce such value.
> 
> If keycloak allowed that, that would be great.  Don't know enough
> about it to know and how exactly it would tie in to some of our other
> services Like weblate / discourse which already support multiple
> auths.
>
> I think I'd still want to stick with LDAP at least for accessing our
> servers, because we use that to hold our ssh public keys to
> authenticate project members to access their servers.  I'm not sure if
> keycloak could do that, it sounds like it would still need LDAP as an
> authentication source and delegate to that.

It may be interesting to look at openstreetmap's experience.  There is
now, I think, OAUTH2, and various things can invoke that to get
credentials to act as the user against the main site.  That may be
different from federated identity "login with foo".

I think the LDAP/ssh issue is that beyond the web authentication flow
(which can be turned into MFA by requiring that at login time), there is
authentication *not via web protocols* and in particular ssh pubkeys.
So an osgeo user has

  web authentication
  a set of ssh keys

whether the ssh keys are in in LDAP or some other mechanism matters for
maintainability but I don't see it as fundamental.  (I also don't see a
reason to change.).

I think it's entirely reasonable, as a long term plan, to have all
services that do web auth to use some kind of oauth2 and not accept
passwords, and thus not have to have passwords in LDAP.

> The main pain points I see with LDAP brought up:
>
> a) The MFA brought up in the motion - which I agree with that we need MFA for LDAP for the id.osgeo.org but I suspect that is not that hard to fix.

I don't follow "MFA for LDAP".  The issue is not so much access to LDAP
but MFA for people wanting access while being validated by credentials
stored in LDAP.  Maybe you meant that.

> 2) The large number of QGIS plugin authors needing an OSGeo account, which thankfully Richard Duivenvoorde has been handling now.
>    For this case, I really would like Keycloak rolled out for this and see how it works before we put any great effort in changing our other infrastructure to support it.
> https://github.com/qgis/QGIS-Plugins-Website/issues/274

That sounds like they are deciding that they are willing to take any
account with no anti-spam signup.
And, to discriminate in favor of those with big tech relationships.