User authentication

[Andersos]

We need to support some user authentication.
Passport (http://passportjs.org/) looks nice and we might have to make a SPID passport provider if we want to use SPID for authentication.

[sveinelo]

From a short glance at passportjs it does not look llike it supports LDAP, but that might not be an issue for us. At all the places where I worked when I was a consultant, they used LDAP (Active Directory) to authenticate their users on the intranet. http://ldapjs.org/client.html

We'll have to figure out a good way to solve this. Hopefully we can avoid patching unleash-server and support different authentication through some form of configuration.

[Andersos]

What is the advantage of using LDAP? Isen't OAuth 2.0 sufficient?
We could use Crowd (https://www.atlassian.com/software/crowd/overview) but i don't think all Finn employees are represented there.

[gardleopard]

We could support basic auth, ldap authentication is supported in apache. http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html.

oauth https://code.google.com/p/mod-auth-oauth/wiki/mod_auth_oauth

It would be nice to get away with just supporting basic auth in unleash and let apache handle authentication.

[sveinelo]

My point was that in most companies they use LDAP for their internal user. In Unleash we want to restict access to the admin panel, and when someone does something, we want to log who it was who did it. Any mechanism with unique users should be sufficent (one admin user with a commonly known password is not want we want).

Role based authorization we can skip?

[gardleopard]

I'm not sure about how we should do this at finn. I suppose we could create a container of some sort around the admin interface providing a username in basic auth style and use that when we send data to the unleash-server. Imho the server should store usernames in changes if available, but let updates and creates pass without it.

[ivarconr]

I purpose a simple first edition of this where we require the user specify his username in order to do modifications. It will not serve any authentication or security, but at least allow us to see who did what (with behaving users).

[ivarconr]

I have started looking in to this.

[Andersos]

Im not sure #79 really closes this. We might have to get some requirements from @kjartis about the authentication requirements for Unleash.

[ivarconr]

your probably right. I was a bit fast on the closes message.

[Andersos]

After the meeting this is the latest status (ref Unleash/unleash-client-java#18):
You should always be able to turn on or off toggles even if the authentication provider is down.
Ideally everyone that dose a change need to be logged by name.
We will investigate using basic auth and having Crowd as the user provider.

[Andersos]

So was basic auth ever added?

[ivarconr]

not yet.

On Thu, 25 Jun 2015 at 21:23 Anders Olsen Sandvik notifications@github.com
wrote:

So was basic auth ever added?

—
Reply to this email directly or view it on GitHub
#33 (comment).