unmojang / drasl

Yggdrasil-compatible API server for Minecraft
GNU General Public License v3.0
119 stars 20 forks source link

Single Sign-on #39

Open dfsek opened 11 months ago

dfsek commented 11 months ago

Hi! I am currently using this behind oauth2-proxy with Keycloak, but would love the ability to integrate directly with OpenID Connect, SAML, or plain old LDAP.

evan-goode commented 11 months ago

Hey! Yeah, some kind of SSO, probably via OIDC, would be nice and is certainly on the roadmap. As I see it there are a couple approaches:

  1. Have the registration page locked behind SSO. After signing into to SSO, the user can pick a Minecraft username and their Drasl account will be created. The Minecraft launchers will still only do password authentication, so a "Minecraft password" will be randomly generated and can be viewed in the web interface. To log in to the game, the user must paste this password into their Minecraft launcher.
  2. Alternatively, new users can log in to the web interface directly via SSO without visiting the "registration" page. Their account username is provided by SSO provider. Minecraft usernames are limited to 16 characters (and have some additional restrictions) so this approach might not be ideal.
  3. Ideally, users wouldn't need to worry about a "Minecraft password", they would just be able to log in to the launcher through the OAUTH2 identity provider, like how MSA login works now. This would require substantial work to implement on the launcher side.

I feel like approach 1 is probably going to be the best option, although approach 3 would be pretty cool.

dfsek commented 10 months ago

I personally think the first option is ideal. Already, Minecraft username is separate from drasl login name, this would also match how MC username is separate from Microsoft/Mojang email/userid. It'd also allow people to change their usernames in SSO-managed accounts. Also, I do agree that OIDC would be the best option.

dfsek commented 10 months ago

Additionally, an option to migrate/link existing accounts/usernames on first sign-in to SSO would be awesome! Perhaps on first SSO sign-in, if there are non-SSO accounts, there is an option to sign in with the "local" account, if that is done the user data is transferred from the local account and then the local account is deleted. That is definitely not essential, though. Could just make everyone recreate their accounts haha.