server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon etesync

SSO / oidc support

Open parisni opened this issue 1 year ago • 3 comments

Not sure the feature already exists thanks to django framework server

parisni avatar Sep 29 '24 10:09 parisni

There is a core problem with SSO.

When using password authentication, the encryption key is derived from the password. With SSO, I see no sensible way to derive an encryption key.

Maybe you have an idea how to solve this problem, otherwise I think SSO is just infeasible for EteSync.

lfuerderer avatar Sep 29 '24 11:09 lfuerderer

No strong confidence on the below naive approach, happy to have your thought

  1. Map the password to a given attribute in the SSO payload, let's say now encryption derive from etesync_key attribute managed by the provider
  2. On the provider side, encrypt/decrypt etesync_key with the user password, and pass it to etesync as a payload. Sounds like possible w/ keyckoak

This means on etesync side there is no complexity, the risky part is delegated to the provider.

parisni avatar Sep 29 '24 12:09 parisni

You can do SSO for the user provisioning and authentication (I'm pretty sure we support SAML already? Not sure) though the encryption key will have to be separate.

The main problem though is that we would need to also implement this across all of the clients, and I think the added benefit is minimal.

tasn avatar Sep 29 '24 13:09 tasn