Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

On Tue, May 19, 2020 at 5:46 AM Samuel Bernardo <
samuelbernardo.m...@gmail.com> wrote:

> On 5/19/20 7:47 AM, Michał Górny wrote:
> > Do you have any specific solution in mind?
> >
> > [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
> I would suggest for SSO an implementation like the following with LDAP
> provider:
>
> https://github.com/Luzifer/nginx-sso/wiki/Auth-Provider-Configuration


Thanks for pointing this out, we might use it for legacy apps that don't
have solid saml / openid integration.
I want to link it against keycloak though because LDAP doesn't support
newer auth standards like u2f.

-A

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

On Wed, 2020-05-20 at 00:59 -0700, Alec Warner wrote:
> On Wed, May 20, 2020 at 12:26 AM Michał Górny  wrote:
> 
> > On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> > > On Tue, May 19, 2020 at 1:23 AM Lars Wendler 
> > > wrote:
> > > 
> > > > Hi Alec,
> > > > 
> > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > > > 
> > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > > > provides authentication for Gentoo properties? Basically, 1 username
> > /
> > > > > password for wiki, bugs, email, forums, and any other http
> > > > > service[0][1].
> > > > > 
> > > > > Today Gentoo has numerous systems that mostly work in a segmented
> > way.
> > > > > - To connect to hosts, we use ssh keys.
> > > > > - Git is authenticated via ssh keys.
> > > > > - Email uses LDAP passwords.
> > > > > - Bugzilla has its own identities, with their own passwords.
> > > > > - Wiki is separate, with its own passwords.
> > > > > - Forums are separate.
> > > > > - Infra has an additional 4 systems that use separate credentials.
> > > > > 
> > > > > Some applications support 2FA (such as wiki.)
> > > > > Some applications do not support 2FA.
> > > > > Applications that require 2FA have a configuration for each app, so
> > you
> > > > > have N configurations.
> > > > > 
> > > > > If we configured id.gentoo.org you would have 1 identity across all
> > > > > gentoo properties.
> > > > > 
> > > > > Is this a thing people are interested in?
> > > > > 
> > > > > [0] It's unlikely operations for git via ssh would change in this
> > > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > > > community member." The former have LDAP accounts and @gentoo.org
> > email
> > > > > addresses and so we can manage them easily; managing 1000s of other
> > > > > accounts in the IDP remains to be seem.
> > > > 
> > > > In case 2FA won't be mandatory I find this a good idea.
> > > > 
> > > 
> > > 2FA is definitely a reason to deploy software like keycloak, but in the
> > > first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> > > U2F support in keycloak and then, similar to our earlier program, offer
> > > discounted or free u2f devices for Gentoo developers; this would likely
> > be
> > > on a 1-2 year timeframe.
> > > 
> > > Is there some reason you don't want to use 2FA?
> > > 
> > 
> > I myself would find 2FA bothersome for low importance services.  Whether
> > it's U2F or OTP, I would generally find it silly to have to carry
> > the hardware/software on me all the time or even use it when it's laying
> > right next to me, say, just to approve a comment on a blog.
> > 
> > But I guess if we go for SSO, it becomes a necessity to better protect
> > our passwords.
> > 
> 
> I think each application, when it ends up integrating with keycloak, gets
> to decide what security level the application wants; I think this leads to
> flexibility for low-importance stuff. E.g. we may not need OTP for blogs,
> or wiki. Obvious cases are apps like our AWS credentials (where theft means
> financial harm for Gentoo) or the sso.gentoo.org itself (because you
> probably want to require OTP to change your password, for example.)
> 

This is going only to work if you can have multiple passwords per
security level.  Otherwise, a low-level login could be used to guess
your password, then a separate attack against the second factor could be
devised.

Of course, I'm assuming that 2FA is implemented properly here, without
giving tips about each factor separately.

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

On Wed, May 20, 2020 at 12:26 AM Michał Górny  wrote:

> On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> > On Tue, May 19, 2020 at 1:23 AM Lars Wendler 
> > wrote:
> >
> > > Hi Alec,
> > >
> > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > >
> > > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > > provides authentication for Gentoo properties? Basically, 1 username
> /
> > > > password for wiki, bugs, email, forums, and any other http
> > > > service[0][1].
> > > >
> > > > Today Gentoo has numerous systems that mostly work in a segmented
> way.
> > > >
> > > > - To connect to hosts, we use ssh keys.
> > > > - Git is authenticated via ssh keys.
> > > > - Email uses LDAP passwords.
> > > > - Bugzilla has its own identities, with their own passwords.
> > > > - Wiki is separate, with its own passwords.
> > > > - Forums are separate.
> > > > - Infra has an additional 4 systems that use separate credentials.
> > > >
> > > > Some applications support 2FA (such as wiki.)
> > > > Some applications do not support 2FA.
> > > > Applications that require 2FA have a configuration for each app, so
> you
> > > > have N configurations.
> > > >
> > > > If we configured id.gentoo.org you would have 1 identity across all
> > > > gentoo properties.
> > > >
> > > > Is this a thing people are interested in?
> > > >
> > > > [0] It's unlikely operations for git via ssh would change in this
> > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > > community member." The former have LDAP accounts and @gentoo.org
> email
> > > > addresses and so we can manage them easily; managing 1000s of other
> > > > accounts in the IDP remains to be seem.
> > >
> > > In case 2FA won't be mandatory I find this a good idea.
> > >
> >
> > 2FA is definitely a reason to deploy software like keycloak, but in the
> > first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> > U2F support in keycloak and then, similar to our earlier program, offer
> > discounted or free u2f devices for Gentoo developers; this would likely
> be
> > on a 1-2 year timeframe.
> >
> > Is there some reason you don't want to use 2FA?
> >
>
> I myself would find 2FA bothersome for low importance services.  Whether
> it's U2F or OTP, I would generally find it silly to have to carry
> the hardware/software on me all the time or even use it when it's laying
> right next to me, say, just to approve a comment on a blog.
>
> But I guess if we go for SSO, it becomes a necessity to better protect
> our passwords.
>

I think each application, when it ends up integrating with keycloak, gets
to decide what security level the application wants; I think this leads to
flexibility for low-importance stuff. E.g. we may not need OTP for blogs,
or wiki. Obvious cases are apps like our AWS credentials (where theft means
financial harm for Gentoo) or the sso.gentoo.org itself (because you
probably want to require OTP to change your password, for example.)

The other common thing I've seen is some kind of longer-lived renewable
token that requires an OTP to get, but does not require an OTP to renew.
These are commonly things like "API keys" or other such credentials that
are scopeable (unlike a password) and revocable (e.g. you can go to
sso.gentoo.org and revoke your token.) This seems more common on mobile
where there is a 'setup' flow and maybe you do it once (at setup), or once
a month, or whatnot. This would mean you don't have to OTP all the time.

-A


> --
> Best regards,
> Michał Górny
>
>

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Lars Wendler]

On Wed, 20 May 2020 00:21:37 -0700 Alec Warner wrote:

>On Tue, May 19, 2020 at 1:23 AM Lars Wendler 
>wrote:
>
>> Hi Alec,
>>
>> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
>>
>> >TL;DR: What if we launched id.gentoo.org, an identity provider that
>> >provides authentication for Gentoo properties? Basically, 1
>> >username / password for wiki, bugs, email, forums, and any other
>> >http service[0][1].
>> >
>> >Today Gentoo has numerous systems that mostly work in a segmented
>> >way.
>> >
>> > - To connect to hosts, we use ssh keys.
>> > - Git is authenticated via ssh keys.
>> > - Email uses LDAP passwords.
>> > - Bugzilla has its own identities, with their own passwords.
>> > - Wiki is separate, with its own passwords.
>> > - Forums are separate.
>> > - Infra has an additional 4 systems that use separate credentials.
>> >
>> >Some applications support 2FA (such as wiki.)
>> >Some applications do not support 2FA.
>> >Applications that require 2FA have a configuration for each app, so
>> >you have N configurations.
>> >
>> >If we configured id.gentoo.org you would have 1 identity across all
>> >gentoo properties.
>> >
>> >Is this a thing people are interested in?
>> >
>> >[0] It's unlikely operations for git via ssh would change in this
>> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any
>> >community member." The former have LDAP accounts and @gentoo.org
>> >email addresses and so we can manage them easily; managing 1000s of
>> >other accounts in the IDP remains to be seem.
>>
>> In case 2FA won't be mandatory I find this a good idea.
>>
>
>2FA is definitely a reason to deploy software like keycloak, but in the
>first rollout I don't expect to enforce 2FA. Ideally we would deploy
>the U2F support in keycloak and then, similar to our earlier program,
>offer discounted or free u2f devices for Gentoo developers; this would
>likely be on a 1-2 year timeframe.
>
>Is there some reason you don't want to use 2FA?
>
>-A

Well, I haven't found any 2FA solution that isn't a PITA to use.
Especially Nitrokey is not easily useable for 2FA. And having some OTP
or U2F software on my mobile phone is a no-go.
I know about the value of 2FA and I use it in some places but I find it
not being the perfect solution for everything. 

>>
>> Kind regards
>> --
>> Lars Wendler
>> Gentoo package maintainer
>> GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39
>>


Cheers
-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39


pgpuB4K6yaZYS.pgp
Description: Digitale Signatur von OpenPGP

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> On Tue, May 19, 2020 at 1:23 AM Lars Wendler 
> wrote:
> 
> > Hi Alec,
> > 
> > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > 
> > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > provides authentication for Gentoo properties? Basically, 1 username /
> > > password for wiki, bugs, email, forums, and any other http
> > > service[0][1].
> > > 
> > > Today Gentoo has numerous systems that mostly work in a segmented way.
> > > 
> > > - To connect to hosts, we use ssh keys.
> > > - Git is authenticated via ssh keys.
> > > - Email uses LDAP passwords.
> > > - Bugzilla has its own identities, with their own passwords.
> > > - Wiki is separate, with its own passwords.
> > > - Forums are separate.
> > > - Infra has an additional 4 systems that use separate credentials.
> > > 
> > > Some applications support 2FA (such as wiki.)
> > > Some applications do not support 2FA.
> > > Applications that require 2FA have a configuration for each app, so you
> > > have N configurations.
> > > 
> > > If we configured id.gentoo.org you would have 1 identity across all
> > > gentoo properties.
> > > 
> > > Is this a thing people are interested in?
> > > 
> > > [0] It's unlikely operations for git via ssh would change in this
> > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > community member." The former have LDAP accounts and @gentoo.org email
> > > addresses and so we can manage them easily; managing 1000s of other
> > > accounts in the IDP remains to be seem.
> > 
> > In case 2FA won't be mandatory I find this a good idea.
> > 
> 
> 2FA is definitely a reason to deploy software like keycloak, but in the
> first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> U2F support in keycloak and then, similar to our earlier program, offer
> discounted or free u2f devices for Gentoo developers; this would likely be
> on a 1-2 year timeframe.
> 
> Is there some reason you don't want to use 2FA?
> 

I myself would find 2FA bothersome for low importance services.  Whether
it's U2F or OTP, I would generally find it silly to have to carry
the hardware/software on me all the time or even use it when it's laying
right next to me, say, just to approve a comment on a blog.

But I guess if we go for SSO, it becomes a necessity to better protect
our passwords.

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

On Tue, May 19, 2020 at 1:23 AM Lars Wendler 
wrote:

> Hi Alec,
>
> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
>
> >TL;DR: What if we launched id.gentoo.org, an identity provider that
> >provides authentication for Gentoo properties? Basically, 1 username /
> >password for wiki, bugs, email, forums, and any other http
> >service[0][1].
> >
> >Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> > - To connect to hosts, we use ssh keys.
> > - Git is authenticated via ssh keys.
> > - Email uses LDAP passwords.
> > - Bugzilla has its own identities, with their own passwords.
> > - Wiki is separate, with its own passwords.
> > - Forums are separate.
> > - Infra has an additional 4 systems that use separate credentials.
> >
> >Some applications support 2FA (such as wiki.)
> >Some applications do not support 2FA.
> >Applications that require 2FA have a configuration for each app, so you
> >have N configurations.
> >
> >If we configured id.gentoo.org you would have 1 identity across all
> >gentoo properties.
> >
> >Is this a thing people are interested in?
> >
> >[0] It's unlikely operations for git via ssh would change in this
> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> >community member." The former have LDAP accounts and @gentoo.org email
> >addresses and so we can manage them easily; managing 1000s of other
> >accounts in the IDP remains to be seem.
>
> In case 2FA won't be mandatory I find this a good idea.
>

2FA is definitely a reason to deploy software like keycloak, but in the
first rollout I don't expect to enforce 2FA. Ideally we would deploy the
U2F support in keycloak and then, similar to our earlier program, offer
discounted or free u2f devices for Gentoo developers; this would likely be
on a 1-2 year timeframe.

Is there some reason you don't want to use 2FA?

-A


>
> Kind regards
> --
> Lars Wendler
> Gentoo package maintainer
> GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39
>

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

On Mon, May 18, 2020 at 11:47 PM Michał Górny  wrote:

> On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > provides authentication for Gentoo properties? Basically, 1 username /
> > password for wiki, bugs, email, forums, and any other http service[0][1].
> >
> > Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> >  - To connect to hosts, we use ssh keys.
> >  - Git is authenticated via ssh keys.
> >  - Email uses LDAP passwords.
> >  - Bugzilla has its own identities, with their own passwords.
> >  - Wiki is separate, with its own passwords.
> >  - Forums are separate.
> >  - Infra has an additional 4 systems that use separate credentials.
> >
> > Some applications support 2FA (such as wiki.)
> > Some applications do not support 2FA.
> > Applications that require 2FA have a configuration for each app, so you
> > have N configurations.
> >
> > If we configured id.gentoo.org you would have 1 identity across all
> gentoo
> > properties.
> >
> > Is this a thing people are interested in?
> >
>
> What a coincidence I've just archived our old identity.gentoo.org [1]
> project.  And yes, we almost had this back in 2013 but Infra failed to
> deploy, and it was claimed obsolete by the time I joined Infra.
>
> Do you have any specific solution in mind?
>

Currently we have a standalone keycloak install with LDAP user federation.
We are looking to do a domain installation for redundancy purposes.
Our existing LDAP infrastructure for example (which few services use for
Auth) has at least 3 replicas.

-A


>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
>
> --
> Best regards,
> Michał Górny
>
>

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Samuel Bernardo]

On 5/19/20 7:47 AM, Michał Górny wrote:
> Do you have any specific solution in mind?
>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/

I would suggest for SSO an implementation like the following with LDAP
provider:

https://github.com/Luzifer/nginx-sso/wiki/Auth-Provider-Configuration




signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Lars Wendler]

Hi Alec,

On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:

>TL;DR: What if we launched id.gentoo.org, an identity provider that
>provides authentication for Gentoo properties? Basically, 1 username /
>password for wiki, bugs, email, forums, and any other http
>service[0][1].
>
>Today Gentoo has numerous systems that mostly work in a segmented way.
>
> - To connect to hosts, we use ssh keys.
> - Git is authenticated via ssh keys.
> - Email uses LDAP passwords.
> - Bugzilla has its own identities, with their own passwords.
> - Wiki is separate, with its own passwords.
> - Forums are separate.
> - Infra has an additional 4 systems that use separate credentials.
>
>Some applications support 2FA (such as wiki.)
>Some applications do not support 2FA.
>Applications that require 2FA have a configuration for each app, so you
>have N configurations.
>
>If we configured id.gentoo.org you would have 1 identity across all
>gentoo properties.
>
>Is this a thing people are interested in?
>
>[0] It's unlikely operations for git via ssh would change in this
>rollout. [1] Its unclear if the scope is "gentoo developers" or "any
>community member." The former have LDAP accounts and @gentoo.org email
>addresses and so we can manage them easily; managing 1000s of other
>accounts in the IDP remains to be seem.

In case 2FA won't be mandatory I find this a good idea.

Kind regards
-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39


pgpL2XtvxjHG4.pgp
Description: Digitale Signatur von OpenPGP

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Joonas Niilola]

On 5/19/20 4:42 AM, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org , an
> identity provider that provides authentication for Gentoo properties?
> Basically, 1 username / password for wiki, bugs, email, forums, and
> any other http service[0][1].
>
>
> Is this a thing people are interested in?
>  
>
Sounds good to me.

-- juippis



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Azamat Hackimov]

вт, 19 мая 2020 г. в 09:47, Michał Górny :
>
> On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > provides authentication for Gentoo properties? Basically, 1 username /
> > password for wiki, bugs, email, forums, and any other http service[0][1].
> >
> > Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> >  - To connect to hosts, we use ssh keys.
> >  - Git is authenticated via ssh keys.
> >  - Email uses LDAP passwords.
> >  - Bugzilla has its own identities, with their own passwords.
> >  - Wiki is separate, with its own passwords.
> >  - Forums are separate.
> >  - Infra has an additional 4 systems that use separate credentials.
> >
> > Some applications support 2FA (such as wiki.)
> > Some applications do not support 2FA.
> > Applications that require 2FA have a configuration for each app, so you
> > have N configurations.
> >
> > If we configured id.gentoo.org you would have 1 identity across all gentoo
> > properties.
> >
> > Is this a thing people are interested in?
> >
>
> What a coincidence I've just archived our old identity.gentoo.org [1]
> project.  And yes, we almost had this back in 2013 but Infra failed to
> deploy, and it was claimed obsolete by the time I joined Infra.
>
> Do you have any specific solution in mind?
>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
>
> --
> Best regards,
> Michał Górny
>

Hi there.

Maybe better to try something already stable, like KeyCloak [1]? Seem
all that you need (OpenID, LDAP, SAML2, external Identity Providers
via OpenID) is already implemented.

[1] https://www.keycloak.org/

-- 
>From Siberia with Love!

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org, an identity provider that
> provides authentication for Gentoo properties? Basically, 1 username /
> password for wiki, bugs, email, forums, and any other http service[0][1].
> 
> Today Gentoo has numerous systems that mostly work in a segmented way.
> 
>  - To connect to hosts, we use ssh keys.
>  - Git is authenticated via ssh keys.
>  - Email uses LDAP passwords.
>  - Bugzilla has its own identities, with their own passwords.
>  - Wiki is separate, with its own passwords.
>  - Forums are separate.
>  - Infra has an additional 4 systems that use separate credentials.
> 
> Some applications support 2FA (such as wiki.)
> Some applications do not support 2FA.
> Applications that require 2FA have a configuration for each app, so you
> have N configurations.
> 
> If we configured id.gentoo.org you would have 1 identity across all gentoo
> properties.
> 
> Is this a thing people are interested in?
> 

What a coincidence I've just archived our old identity.gentoo.org [1]
project.  And yes, we almost had this back in 2013 but Infra failed to
deploy, and it was claimed obsolete by the time I joined Infra.

Do you have any specific solution in mind?

[1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/


-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Fabian Groffen]

On 18-05-2020 18:42:24 -0700, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org[1], an identity provider that 
> provides
> authentication for Gentoo properties? Basically, 1 username / password for 
> wiki,
> bugs, email, forums, and any other http service[0][1].

I'd be in favour of SSO for all http-, imap- and smtp-based Gentoo services.

Thanks,
Fabian

> 
> Today Gentoo has numerous systems that mostly work in a segmented way.
> 
>  - To connect to hosts, we use ssh keys.
>  - Git is authenticated via ssh keys.
>  - Email uses LDAP passwords.
>  - Bugzilla has its own identities, with their own passwords.
>  - Wiki is separate, with its own passwords.
>  - Forums are separate.
>  - Infra has an additional 4 systems that use separate credentials.
> 
> Some applications support 2FA (such as wiki.)
> Some applications do not support 2FA.
> Applications that require 2FA have a configuration for each app, so you have N
> configurations.
> 
> If we configured id.gentoo.org[2] you would have 1 identity across all gentoo
> properties.
> 
> Is this a thing people are interested in?
>  
> [0] It's unlikely operations for git via ssh would change in this rollout.
> [1] Its unclear if the scope is "gentoo developers" or "any community member."
> The former have LDAP accounts and @gentoo.org[3] email addresses and so we can
> manage them easily; managing 1000s of other accounts in the IDP remains to be
> seem.
> 
> 
> References
>1. http://id.gentoo.org
>2. http://id.gentoo.org
>3. http://gentoo.org

-- 
Fabian Groffen
Gentoo on a different level


signature.asc
Description: PGP signature

[gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

TL;DR: What if we launched id.gentoo.org, an identity provider that
provides authentication for Gentoo properties? Basically, 1 username /
password for wiki, bugs, email, forums, and any other http service[0][1].

Today Gentoo has numerous systems that mostly work in a segmented way.

 - To connect to hosts, we use ssh keys.
 - Git is authenticated via ssh keys.
 - Email uses LDAP passwords.
 - Bugzilla has its own identities, with their own passwords.
 - Wiki is separate, with its own passwords.
 - Forums are separate.
 - Infra has an additional 4 systems that use separate credentials.

Some applications support 2FA (such as wiki.)
Some applications do not support 2FA.
Applications that require 2FA have a configuration for each app, so you
have N configurations.

If we configured id.gentoo.org you would have 1 identity across all gentoo
properties.

Is this a thing people are interested in?

[0] It's unlikely operations for git via ssh would change in this rollout.
[1] Its unclear if the scope is "gentoo developers" or "any community
member." The former have LDAP accounts and @gentoo.org email addresses and
so we can manage them easily; managing 1000s of other accounts in the IDP
remains to be seem.