Single Sign-On

[handlerug]

https://en.wikipedia.org/wiki/Single_sign-on

[ghost]

https://www.openldap.org/

[ghost]

https://ldap.com/client-apis/

This is the list of all the api libraries available, we probably need this one

[handlerug]

The feature in question turned out to be an overly complex hairball of different protocols and communication methods with a ton of enterprise sauce on the top which I couldn't understand in a reasonable timeframe, so I'm unassigning it from myself. Feel free to pick it up.

[handlerug]

https://joonas.fi/2021/08/saml-is-insecure-by-design/ hehehe

[bouncepaw]

Are we still going to implement this?

[chekoopa]

@bouncepaw Depends on how would we implement it, and how hard it is. SSO is usually released as Enterprise/Premium feature. 🤔

[bouncepaw]

So, maybe we should wait for some Enterprise/Premium money whale to come and offer gold for this feature? And close the issue for now, because I don't think it's going to happen any time soon.

[chekoopa]

LDAP environment seems a little complicated to reproduce and mostly relies on M$ software (even though we have OpenLDAP). Do we have a real chance to put Mycorrhiza into enterprise?

[bouncepaw]

Ew, Microsoft. Not in this mushroom garden.

[chekoopa]

I mean, it looks very simple enough with a provided library, we just add one more user source and a whole configuration section. And it is usable in *nix enterprise networks with OpenLDAP installed, not only M$.

Just... Is anybody here ready to perform a proper battle test? I've lost some teeth setting up ADDC on Linux when was getting my bachelor degree. Though, NixOS could have some options to make it less painful.

[bouncepaw]

If it is so easy, then why did @handlerug resigned themselves from the task? They said it was hard. I suppose it is.

As for battle testing, @Astrr seems to be the best candidate. They are the one with the biggest interest in SSO after all.

This library was provided above: https://github.com/jtblin/go-ldap-client

It seems so unstable tbh.

Dunno, короче.

[chekoopa]

About simplicity, look the usage example: https://github.com/jtblin/go-ldap-client#usage I haven't look up any alternatives, but they're called low-level (we don't want stick hands into that, do we?).

By fact, this thing is just like simple sign-in, but instead of Mycorrhiza's own credentials DB is looks up the domain's one. The password should be sent with plain text in this case, though.

[bouncepaw]

Uh oh alright let's keep this open then

[handlerug]

It may look simple from the surface, but there might be some hidden gotchas that'll ruin the whole security model. I don't really want to deal with that possibility, so I resigned myself from the issue. Maybe it's simple, not like I know or care.

[decentral1se]

Yessss OpenID Connect support would be ideal, gonna take a look at #149 now :eyes: