DRAFT

This is a proposal, comments are welcome to improve concept

Use cases

Users should be able to connect on yunohost thanks to openid connect providers (and oauth2 providers ?). A pairing process is needed to link account from openId connect provider to yunohost account.

Add ldap schema to register several openid connect info in users entry. List of attibutes for each openid connect provider:
- iss
- sub
- aud
- ...
Add way to configure openid connect providers available in ssowat conf file (and later in yunohost admin interface)
Add process to pair yunohost account with openid connect account (from user settings page, from login page)
- Display list of "connect button" for providers that redirect user on provider login page
- Implement callback that get token and userinfo in ssowat
- Put userInfo data in ldap
Add process to connect on yunohost thanks openid connect account
- Display list of "connect button" for providers that redirect user on provider login page
- Implement callback that get token and userinfo in ssowat
- Compare userInfo data with data containing in ldap to get ldap user (with password)
- Continue login process by generating cookie

How put the password, that is hashed in ldap, in the cache to inject it in basic authorization header ?
- during pairing process, we should maybe crypt user password thanks to a symetric method using a field (or hash of several fields or ...) provided by openid connect provider (and not stored in ldap) as a key. In this case, an update of password will trigger a pairing process during next use of openId connect (user will enter again the new password).
Is a process existing to add the new ldap schema in list of ldap objectClass for existing users (during update of ssowat for example) ?
Is a lua module existing to help doing the connect/pairing process (to get token, to get userInfo, ...) ?
Is a ldap schema existing to register openid connect info ?
- https://bitbucket.org/connect2id/server-ldap-schemas/src/master/src/main/resources/