Project

General

Profile

coordination #89020

Updated by okurz almost 3 years ago

## Motivation 
 Again the identity provider we use from openSUSE is making some problems, e.g. see #88751 , so we thought about investing in alternatives that we can use in parallel to the existing way. We already have support for other identity provides but not at the same time 

 ## Acceptance criteria 
 * **AC1:** openqa.opensuse.org offers to login over both the existing provider as well as another one, e.g. using github 

 ## Observation 
 In the openQA configuration one can currently choose between *FakeAuth*, *OpenID* and *OAuth2*. Setting `auth/method` in the config file changes that globally. Only one method can be used at the same time. Changing it would require all logins to go through the new method. And *Login* always immediately redirects to the configured provider. 

 ## Suggestions 
 - Add a *provider* column to the *Users* table 
 - Make *username* unique across providers (so the new unique constraint would be `username,provider` and *not* just `username`) 
 - Allow configuring multiple auth methods at the same time 
 - Allow configuring multiple providers per auth method at the same time at least for *OAuth2* (to be able to support e.g. ipsilon and GitHub at the same time) 
 - Ensure existing data defaults to the active provider upon migration **or** continues to work as-is with manual intervention required 
 - Provide UX in the web UI e.g. expose buttons for providers to choose from 
 - Make it clear in the UI which authentication provider is used

Back