archweb icon indicating copy to clipboard operation
archweb copied to clipboard

Published 20 hours ago verified publisher icon archlinux

Add OIDC support

Open jelly opened this issue 4 years ago • 4 comments

Add openid connect support to archweb to allow authentication via Keycloak.

Possible with https://github.com/mozilla/mozilla-django-oidc

  • Document how to locally setup keycloak for development
  • Write OIDC integration
  • Document configuration OIDC setup

jelly avatar May 18 '20 08:05 jelly

It's important to know that we only want to allow logins for users that have the Staff role.

svenstaro avatar Jul 24 '20 20:07 svenstaro

Work is now in progress and we have a oidc branch and I'm implementing the role mapping now:

In general users are restricted to be allowed to log in to archweb if:

  • They have the Staff role
  • They are testers in the group "External Contributors/Archweb/Testers"

Archweb should assign users to certain groups/allowed repositories (for adopting/orphaning packages) automatically once a user is newly created or it's roles/groups changed in Keycloak:

  • Trusted User - member of "Trust Users" group, Allowed Repos: Community, Community-Testing, Community-Staging, Multilib, Multilib-Testing, Multilib-Staging
  • Developer - member of the "Developer" group, Allowed Repos: Core, Extra, Testing, Staging, Multilib
  • DevOps - Django superuser/staff status
  • Mirrorlist Maintainers - member of the "Mirrorlist Maintainers" and Django staff status to allow logging into the django admin backend to change our mirror models.
  • Release Engineering - member of the "Download Page Release" and Djang staff status to allow logging into the django admin backend to add new Archiso releases.
  • Support Staff - Assigned to the group "Support Staff" if they are in "Bug Wranglers", "Forum", "wiki", "Security Team", "IRC" groups on Keycloak
  • Testers - Assigned to the group "Testers" if they are in "External Contributors/Archweb/Testers".

When a User looses a Group, they are added to the "Retired $groupname" group

jelly avatar Feb 21 '21 11:02 jelly

We should probably not rely on email matching for user linking as the email address can be changed in Keycloak. But for initial matching of existing developers we need to rely on the email address but we should also store the open id sub identifier so we can match on this when connecting users. This is possibly by implementing some OIDC functionality ourself using the upstream dcoumentation.

jelly avatar Feb 21 '21 16:02 jelly

Investigate if archweb can set a SSH Key and mail credentials password as for Arch Staff in a Keycloak attribute

jelly avatar May 25 '21 22:05 jelly