using dex for authentication

[gregorykan]

@ahdinosaur @agentlewis might need a bit more context/specificity for this one

[iainkirkpatrick]

i'm interested in understanding the goals here - as i understand it, we want to be able to log into both Loomio + Cobuy with one login / form?

[gregorykan]

ok so LOL this has nothing to do with holodex which is what i originally thought.

@iainkirkpatrick dex is an oauth provider - you probably already knew this

[gregorykan]

chatted with @ahdinosaur , this ticket now simply involves setting dex up, with actual integration coming later

[iainkirkpatrick]

ok cool :)

[danalexilewis]

Correct! And styling it with tapin branding. Should say “tapin login” we can also set up loomio with it.

[iainkirkpatrick]

ok so briefly read over the dex docs - this is def stuff i haven't touched before. not to say that it will be easy / hard (looks interesting!) but i'm quite fuzzy how this is gonna work, esp with Loomio integration. Is this something we need before the first deadline?

[danalexilewis]

In theory it’s just another oauth2 provider that we give credentials to loomio team for.

Regarding do we need this. Short answer, yes. It’s badically what makes our dolution a complete solution rather than collection of seperate solutions

[iainkirkpatrick]

hmmm ok re-reading i think i understand more... dex can act as an oAuth provider and issue tokens as FB, GH etc would. the idea then would basically be that all Tapin users must use this type of credential to log in? i.e. a dex 'Tapin' token. so we wouldn't have any other providers (FB, GH) that folks could log in with? i can see how that makes sense

[danalexilewis]

@iainkirkpatrick correct

[iainkirkpatrick]

found this blog talking about open ID connect https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1

[iainkirkpatrick]

ok, been grokking a bunch of Dex stuff today. i'm now at the point where i'm wondering - why are we wanting to roll Dex if we aren't wanting users to be able to sign in with other OIDC / identity providers like Google, Github etc? Wouldn't it be simpler to use a nodejs oauth server? Or am i missing some benefits of dex... it seems heavy-handed? (and i can't fully work it out but possibly missing some features like password reset?)

tagging @ahdinosaur @agentlewis

[danalexilewis]

From my point of view:

• if we package it right we will have a turn key solution for providing OICD stuff for more than one app (loomio + cobuy) in the future
• Future flexibility, we can add google later or other enterprise logins if needed
• Proven solution over rolling our own
  • should be relatively easy to pass security requirements for gov

However the requirement is:

• A secure login system (demonstatable)
• A provider of a single sign on solution for more than one app
• takes as little time as possible

[iainkirkpatrick]

had a chat with @ahdinosaur briefly - gonna suss out whether node-oauth2-server is a better fit, probably as part of another specific dogstack app that handles identity. with the emphasis as @agentlewis pointed out above of being an MVP solution :) potentially we use dex in the future as part of this

[danalexilewis]

@iainkirkpatrick I am not to fussed what we use so long as we can get it up quick. I am obviously biased towards creating another dogstack app, if we can do it quick :) and that it takes care of all the standard flows on desktop and mobile and lastly that it is secure.

Also want to name the goal here is to have Single Sign On - SSO as I hadn’t named it above.

[iainkirkpatrick]

or... after reading a bit more... we could use dex, and roll our own OIDC server :D by roll our own i mean use https://github.com/panva/node-oidc-provider tho still not sure i'm fully understanding what the benefits of OpenID Connect over oAuth2 are, apart from 'it provides identity'

[iainkirkpatrick]

thought dump:

• chatted with @ahdinosaur a little yesterday, he made a good point that oAuth is probably sufficient for now - i'd still like to understand what the benefit of OIDC is (word on the street is that it's legit) but oauth for now is probably sweet
• i'm not sure how to / if it's a good idea to build an identity provider (read. oauth server) as a dogstack app? given feathers services are so central to a dogstack app, and at least the way people seem to build an oauth server using node-oauth2-serverdoesn't really conform to how i understand using feathers works...
  • though we need presumably still to write to tables like agents, profiles etc... so my latest thought i guess is to attach the oauthserver to app.oauth like the docs suggest, but outside of a service, and then just call on the .oauth methods in normal services?
• also gonna need those oauth methods in login / signup routes presumably?

[danalexilewis]

@iainkirkpatrick

Note the requirement for a provider is specifically for other apps to use:

• tapindecide
• tapin app launcher/app store/billing management
• tapinbuy
• etc

I don’t think this ticket is worth progressing if it doesn’t solve this. Ie we just deal with the fallout of people logging into tapindecide using a passwordless system and tapinbuy with a password.

Not sure if that helps...

[iainkirkpatrick]

@agentlewis yep i see using a single provider as solving that problem :) what do you think about all the Tapin apps sharing a single profile? that would be an optional, extra piece as i imagine the cost to change Loomio to deal with that would be not insignificant...

[danalexilewis]

Shared profile would be amazing - I think we can prep it by getting it working with cobuy and than workout with loomio what it would take to make it work for them. Probably a weeks work.