[wip] use github auth

[jacobian]

Rather than using Django's built-in auth, admins should auth against github.

• [x] add github auth
• [x] use GithubTeamOAuth2 instead of GithubOrganizationOAuth2
• [ ] create the signup flow:
  • [ ] start page for creating an account
  • [ ] post-auth complete page
  • [ ] document how admins should add more perms to created users
• [ ] add "login with github" to admin page
• [ ] remove password auth entirely
• [ ] figure out and document initial setup flow
• [ ] add whitelist?
• [ ] test with other users to make sure this is right

[jacobian]

Or maybe we should use github instead? /cc @adelevie

[NoahKunin]

Why is MyUSA being considered? It's on the line to deprecation due to Login. I'd use GitHub auth until Login is up.

[jacobian]

github it is 👍

[jessieay]

@jacobian thoughts on scoping to https://github.com/orgs/18F/teams/18f so only 18F staff can auth rather than anyone in the 18F org? (197 vs 346 ppl)

[jacobian]

@jessieay it's hard to tell, but that's what this does, see https://github.com/18F/bug-bounty/pull/6/files#diff-041953c637f95e25fb35d51022891763R79 - using the GithubOrganizationOAuth2 backend takes care of that. See http://psa.matiasaguirre.net/docs/backends/github.html#github-for-organizations for the (scant) documentation.

[jessieay]

@jacobian I was thinking you'd want GithubTeamOAuth2. -- I think you are using the 18F Org, which is bigger than the 18F Team

[jacobian]

@jessieay oh shit, I'd missed that difference! Yes, you're totally right - thank you!

[konklone]

@jacobian So how much do we pay @jessieay for that one? :smile_cat:

[NoahKunin]

@jessieay http://i.giphy.com/13B1WmJg7HwjGU.gif