SSO: Login over wechange.de account via oAuth2 or LDap

[david-ziegler]

Problem

• Users are annoyed of too many logins
• Story userdata is quite sensitive regarding privacy...
• On kvm we dont have and dont want to enable user-to-user communication.
  • But for regional and thematic collaboration we need to offer certain possibilities.

Solution

• [ ] Implement SSO with wechange.de-Useraccounts
  • Definition is described here: https://github.com/wechange-eg/faq/blob/main/OAuth2.md
• [ ] Group-Membership defines, if a user has Admin-Status on ofDB
  • [ ] In a Super-Admin list on ofDB Helmut can define, which Group from wechange.de is giving admins rights (later it can be limitted to certain areas or hashtags)
  • [ ] Via this link: https://wechange.de/o/me/ you get the group-memberships of a user, to check of which groups he is part of.

Creating entries should be possible without login but then those entries first must be checked by a Regionalpilot before they are added.

Issues from WE:

• Single-Sign-On (SSO) mit Fairlogin https://git.wechange.de/wechange/aktuell/plattform-n/-/issues/434
• Gruppenmitgliedschaften in OAuth2-SSO integrieren https://git.wechange.de/wechange/aktuell/plattform-n/-/issues/542

---

For Later

• OSM- SSO: when logging in, redirect to OSM to log in there. We need to know the user names to add our entries to the OSM.
• If our useraccounts are connected to OSM it can build on this interface: https://www.onosm.org/

[wellemut]

Hopefully it is possibel to find an Identity-Provider that can handle OSM and all other SSO-Accounts! https://github.com/kartevonmorgen/kartevonmorgen/issues/217