search

fixthestatusquo / archive-proca-backend

Backend for the ultimate petition/campaigning tool
GNU Affero General Public License v3.0
7 stars 2 forks source link

Move the account management out of proca #56

Closed tttp closed 4 years ago

tttp commented 4 years ago

We have a lot of features that I'd love to see around the login/password:

Some of them are nice to have, some are missing features that will be a pain for our users

... and... ideally part of the login/account is handled from within the widget, or through a default widget builder wizard

... and... we might need the same identity on other tools (say a CRM or AB testing one, or whatever magic we want)

... and... we will have to remove the back-end + account anyway if we do an ECI version

luckily, it seems there is an open source project that is meant to handle all of that:

https://www.ory.sh/kratos/docs/index https://www.ory.sh/hydra/docs/oauth2/

I had a very quick look, but my gut feeling is that we need to switch to them, they offer out of the box so many things we'd want.

marcinkoziej commented 4 years ago

ECI - can you remind why there should be no user ? Some regulations?

Kratka - do this is a separate service that provides login via OpenID? This would mean Proca would have to just implement OpenID and that's it? Seems simpler.

tttp commented 4 years ago

On Sat, 23 May 2020, 09:48 Marcin Kozey, notifications@github.com wrote:

ECI - can you remind why there should be no user ? Some regulations?

Yeah, you need another 30 pages to explain your security around password and injection and rotation and minimum length and.. . The easiest is to they there isn't any backend and everything is from the cli

Kratka - do this is a separate service that provides login via OpenID?

There is an endless stream of protocol names they mention supporting, I'm sure one will work easily for us ;)

This would mean Proca would have to just implement OpenID and that's it? Seems simpler.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TechToThePeople/proca-backend/issues/56#issuecomment-633002773, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA7LKWSE7YDQ6VBKPH5GMTRS55TNANCNFSM4NIJT5VA .

marcinkoziej commented 4 years ago

We are using Ory Kratos & friends to handle auth, Proca keeps the minimum for itself (authorization/ACLs)