Future of Web Single Sign On in KDE
Matthieu Gallien
gallien.matthieu at gmail.com
Tue Jul 19 08:52:49 BST 2022
Hello,
On lundi 18 juillet 2022 21:40:48 CEST Carl Schwan wrote:
> on mobile so sorry for top posting
>
> fund.krita.org is using just plain oauth2 so it should be fine. Adding more auth options should also not be too hard for fund.krita.org and probably a good idea in any cases.
>
> What I wonder though, is how you plan to do the migration. identity uses the old username has unique identifier, something we want to move away (main reasons is that people change names for various reasons). my.kde.org uses a uuid instead and that makes it more future proof. It is possible to use the uuid from my.kde.org in gitlab? I remember some big trouble with the migration (and some nasty emails) and it would be good to avoid that again.
>
> Also did you consider using keycloak/freeIPA? These are very solid system that provides oauth2, openid connect, saml and ldap. unfortunately like we learned with mykde, oauth2 only is not really ideal, and openid connect, saml and ldap are way more standardized.
As far as I know, keycloak does not really have a user accessible way to reset password or have recovery codes for 2FA authentication. That may be problematic.
>
> Cheers,
> Carl
>
> -------- Original Message --------
> On Jul 18, 2022, 20:53, Ben Cooksley wrote:
>
> > On Tue, Jul 19, 2022 at 2:40 AM Halla Rempt <boud at valdyas.org> wrote:
> >
> >> On zondag 17 juli 2022 11:54:27 CEST Ben Cooksley wrote:
> >>
> >>> I'd therefore like to move away from both Identity and MyKDE to Gitlab.
> >>
> >> What will that mean for fund.krita.org? That currently uses mykde, and that already is a problem for quite a few people to figure out how to create an account and login.
> >
> > The Krita Fund will need to be sorted out separately, as the Blender Fund app from which it is sourced is fairly tightly coupled with Blender ID (which is where MyKDE came from).
> > There is also the slight issue of it's dependence on Braintree.
> >
> > As Ingo points out though, for user focused sites allowing a variety of login providers is likely the best path forward.
> >
> >> Halla
> >
> > Cheers,
> > Ben
>
Best regards
--
Matthieu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20220719/432193f1/attachment.sig>
More information about the kde-community
mailing list