New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Act as OpenID Connect provider #11481
Comments
Wooow! Are we sure we want to maintain our own OIDC server? I could be wrong but it seems to me like a lot of work. I would first enable other OIDC existing servers. What's the need behind this @kirstenalarsen @lin-d-hop ? |
Or maybe I misunderstood: this issue would enable to use a "login with lescommun" button and my current OIDC user on FR would be able to login on any OFN instance when this is done? |
Thanks for questioning me here. There are free software solutions out there to deploy and use. So it's definitely worth looking at that option and comparing. Becoming an OIDC provider came from two use cases:
In either case, we could authenticate via a third party but it would be much simpler for users to re-use their existing OFN account. There are several things to consider though:
I don't think that I can decide this on my own. I'm not even that familiar with OIDC providers. But since we do manage user accounts and have an API, it does make sense to me to authenticate with OFN servers as well. Or, we go into a completely different direction, get rid of OFN instance accounts and move to a global single-sign-on server. That would be much simpler but makes instances also less independent and they become vulnerable to this single point of failure. I would prefer to build on our distributed network of instances and find a scalable solution without compromising user choice on privacy etc. And it's not like we have to implement everything from scratch. We use an existing library for OIDC for which we just need to add the UX and our custom logic. We could discuss this at the delivery circle but the team probably doesn't know enough about the topic yet. Maybe @Matt-Yorkley and I should have a chat about this first? Shall we work out a time? |
Yes sorry I took lescommuns as an example but I def. agree they don't work as a global audience. It seems to me a bit outside of OFN league to become an auth provider. I fear the monopolistic aspect, but you did a very good summary of the situation, so I don't have anything to add - thanks :) Looking forward to hear what conclusion will come up from your chat! |
Previous thread on the topic: https://community.openfoodnetwork.org/t/allow-other-tools-to-rely-on-ofn-for-user-registration/1456/10 |
I'll close this for now. I don't think that we have a strong enough case for this work. We can setup a global OFN Keycloak if we want. OFN being a provider would simplify some user stories because people don't need to sign up with another server as well. But we don't want to make our code base bigger when there's another solution. |
Description
An OpenID Connect (OIDC) provider can be used by other applications to authenticate users. We currently use login.lescommuns.org as provider to authenticate requests to the OFN DFC API. But by becoming a provider ourselves, we can authenticate users across OFN instances. That will allow a user of Open Food Network Germany to log into Open Food Network Belgium without setting a new password. And it will then allow the user to move DFC data between the instances. It will also allow new custom apps to use OFN accounts without requiring a sign-up process itself.
Acceptance Criteria & Tests
Existing code
The OFN DFC API verifies OIDC tokens against one provider already:
openfoodnetwork/engines/dfc_provider/app/services/authorization_control.rb
Lines 3 to 8 in 67d5ffd
Since each OFN instance is an ID provider itself, it can generate tokens to authenticate any OFN DFC API requests from then on.
Estimate summary: 7 days.
The text was updated successfully, but these errors were encountered: