Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Google OAuth login #31

Open
SaracenOne opened this issue Feb 10, 2021 · 0 comments
Open

Add Google OAuth login #31

SaracenOne opened this issue Feb 10, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@SaracenOne
Copy link
Collaborator

SaracenOne commented Feb 10, 2021
edited by fire
Loading

  • Status: proposed
  • Deciders: @SaracenOne
  • Date: 2021-02-10

Context and Problem Statement

Add support for logging in with a Google account.

Decision Drivers

  • People don't want to duplicate accounts across the internet.
  • Easier to secure one account

Considered Options

  1. Support only password and email
  2. Support Google Oauth
  3. Support Google Oauth and others
  4. Double Sign-in - Support only URO OIDC and email password. URO OIDC redirects to a proper Google OAUTH and others.

Decision Outcome

Choose Double Sign-in

Positive Consequences

  • Single sign on is allowed
  • Does not hard code the secrets of the Google auth

Negative Consequences

  • Client has a public token to submit logins
  • If Google accounts is compromised, the permissions lost is Google oauth defined.

Pros and Cons of the Options

Double Sign-in - Support only URO OIDC and email password.

We click on the Google button to have URO open a brower redirected to Google.

  • Good, the URO server knows how to contact the proper ODIC identity provider
  • Good, this allows us the flexibility to not hard code the external ODIC identity providers
  • Bad, because we have to run a ODIC identity provider
  • Bad, because the trust is the sum of all the identity provider securities

Support only password and email

We already do this.

  • Good, because it is the bare minimum for bootstrapping
  • Bad, because it adds another account system to the players

Support Google Oauth

We add Google oauth.

  • Good, because Google a widely trusted identity provider
  • Bad, because Google is only one identity provider
  • Bad, because keys for the Google provider need to be hard coded.

Support Google Oauth and others

We add Google oauth and others.

  • Good, because Google is not the only identity provider
  • Bad, because the trust is the sum of all the identity provider securities
  • Bad, because keys for the Google provider need to be hard coded.
  • Bad, because keys for the other IDC providers need to be hard coded.

Links
@SaracenOne SaracenOne added the enhancement New feature or request label Feb 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SaracenOne