Project

General

Profile

action #67576

[spike:20h] github as authentication provider

Added by okurz over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
2020-06-02
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Motivation

We only support "OpenID" and "Fake" authentication so far. In #66703 we can see the problem with the high reliance on OpenID. In multiple places we are happy users of what github provides. We should research how feasible it is to support github as authentication provider, same as many other services do.

History

#1 Updated by cdywan over 1 year ago

  • Status changed from Workable to In Progress
  • Assignee set to cdywan
  • Target version changed from Ready to Current Sprint

#2 Updated by cdywan over 1 year ago

  • OAuth 2.0 which GitHub supports is pretty straightforward. Request a token via GET, get a temporary code and turn that into an access token.
  • An application has to be registered. The domain has to match or the login will fail.
  • Getting user details like nickname/fullname/email requires gitHub-specific API, although that's just one more GET.
  • Mojolicious::Plugin::OAuth2 looks to make OAuth 2.0 easy to implement. Bonus points for supporting various other services by design.
  • We could get the gravatar avatar and use it - this would be a new feature.

My proof of concept actually turned into a working implementation pretty quickly.

On a side note, we could hypothetically use GitHub credentails for needle editing. Although I didn't explore this further.

#3 Updated by okurz over 1 year ago

  • We could get the gravatar and use it - this would be a new feature.

We already support gravatar. Isn't that only based on the email?

#4 Updated by cdywan over 1 year ago

okurz wrote:

  • We could get the gravatar and use it - this would be a new feature.

We already support gravatar. Isn't that only based on the email?

Sorry, I actually meant avatar there. The email is optional if the user chooses to hide it. So using the provided avatar would work better in that case.

#5 Updated by cdywan over 1 year ago

Note: tinita was so kind to me help out by preparing a package for the OAuth 2.0 plugin: https://build.opensuse.org/request/show/811723

#6 Updated by tinita over 1 year ago

The request for Factory is here: https://build.opensuse.org/request/show/811785 (still in review)

#8 Updated by cdywan about 1 year ago

  • Status changed from In Progress to Feedback

https://github.com/os-autoinst/openQA/pull/3150

The Feedback here is not going to be observed in production instances, as we don't plan to enable it for now. Although we might see some on other instances so I'll use the status like usual.

Btw docs are/will be here soon http://open.qa/docs/#authentication

#9 Updated by okurz about 1 year ago

  • Status changed from Feedback to Resolved

cdywan you provided a minor fix with https://github.com/os-autoinst/openQA/pull/3258 which has been merged and is active. http://open.qa/docs/#authentication is updated and we do not need to verify this on our production instances so considered "Resolved"

Also available in: Atom PDF