Project

General

Profile

Actions

action #67576

closed

[spike:20h] github as authentication provider

Added by okurz almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
2020-06-02
Due date:
% Done:

0%

Estimated time:

Description

Motivation

We only support "OpenID" and "Fake" authentication so far. In #66703 we can see the problem with the high reliance on OpenID. In multiple places we are happy users of what github provides. We should research how feasible it is to support github as authentication provider, same as many other services do.

Actions #1

Updated by livdywan almost 4 years ago

  • Status changed from Workable to In Progress
  • Assignee set to livdywan
  • Target version changed from Ready to Current Sprint
Actions #2

Updated by livdywan almost 4 years ago

  • OAuth 2.0 which GitHub supports is pretty straightforward. Request a token via GET, get a temporary code and turn that into an access token.
  • An application has to be registered. The domain has to match or the login will fail.
  • Getting user details like nickname/fullname/email requires gitHub-specific API, although that's just one more GET.
  • Mojolicious::Plugin::OAuth2 looks to make OAuth 2.0 easy to implement. Bonus points for supporting various other services by design.
  • We could get the gravatar avatar and use it - this would be a new feature.

My proof of concept actually turned into a working implementation pretty quickly.

On a side note, we could hypothetically use GitHub credentails for needle editing. Although I didn't explore this further.

Actions #3

Updated by okurz almost 4 years ago

  • We could get the gravatar and use it - this would be a new feature.

We already support gravatar. Isn't that only based on the email?

Actions #4

Updated by livdywan almost 4 years ago

okurz wrote:

  • We could get the gravatar and use it - this would be a new feature.

We already support gravatar. Isn't that only based on the email?

Sorry, I actually meant avatar there. The email is optional if the user chooses to hide it. So using the provided avatar would work better in that case.

Actions #5

Updated by livdywan almost 4 years ago

Note: @tinita was so kind to me help out by preparing a package for the OAuth 2.0 plugin: https://build.opensuse.org/request/show/811723

Actions #6

Updated by tinita almost 4 years ago

The request for Factory is here: https://build.opensuse.org/request/show/811785 (still in review)

Actions #8

Updated by livdywan over 3 years ago

  • Status changed from In Progress to Feedback

https://github.com/os-autoinst/openQA/pull/3150

The Feedback here is not going to be observed in production instances, as we don't plan to enable it for now. Although we might see some on other instances so I'll use the status like usual.

Btw docs are/will be here soon http://open.qa/docs/#authentication

Actions #9

Updated by okurz over 3 years ago

  • Status changed from Feedback to Resolved

@cdywan you provided a minor fix with https://github.com/os-autoinst/openQA/pull/3258 which has been merged and is active. http://open.qa/docs/#authentication is updated and we do not need to verify this on our production instances so considered "Resolved"

Actions

Also available in: Atom PDF