Requesting Single Sign-On for Wiki & GitLab

Feedback & Support
1

Thus far, I’ve been trying to make things faster/smoother/better for newcomers. (Hopefully, I’ll get to core Haskell code soon. I’m just sensitive to “snow in the way” for me and others in the same boat.)

In that vein, I request single sign-on/off for Wiki, Community & GitLab. I was quite blown away by the number of accounts I had to make as a newcomer. Thankfully, that number has been trimmed down to just the aforementioned three. (No longer need a Taiga account due to the decision to stick to GitLab; and I never needed a GitLab account at GitLab.com – that was just my mistake. That’s 4 or 5 down to 3.)

But how? Well, a couple quick searches bring up Keycloak for Discourse and for GitLab. But that’s just the quick-search solution. Maybe one of you would know a better way. NB: Keycloak is open-source.

1 Appreciation
2

@wolftune Are Wiki and Community already tied together? I see you edited the title to mention only Wiki & GitLab.

3

@thomasj10, Discourse supports using an external provider for single sign on, and Snowdrift has been using it. So if you have a Snowdrift account, you can use it to log into this Discourse instance.

There is more than one way to organize this single sign on setup. But I agree that either way, it’s definitely annoying and unnecessary to require people to make a separate account for each system.

Another note, the wiki runs Gitit, which probably has the least flexibility and least to zero chance that there’s any way to change the login to work the way we want, other than patching Gitit further (the Snowdrift wiki is already running a custom patched version).

4

@fr33domlover Good to know. Thank you.

So, if Discourse and GitLab were linked by Keycloak, would that mean you can no longer use your wiki account to log into Discourse? (Because Keycloak would be taking up the “external provider” spot, kicking out the Wiki (Snowdrift) provider?)

5

I’m not clear if you were fully understanding the primary log-in: Snowdrift.coop the main platform itself. That is the primary we emphasize. And it’s that login (not wiki) that is used for Discourse, but it’s not used for anything else yet.

We do not want anyone to be encouraged to log-in to Snowdrift.coop, the main site, via any proprietary service or anything, and while we could offer some possible “log in with…” for some totally fine FLO service, we don’t currently, have no plans for that, but we could discuss the issues with such a direction.

So, Keycloak? I don’t know, we can investigate it. I’m not familiar. But it needs to be considered how it fits with our main log-in to the core site.

It certainly would be ideal for the single log-in to Snowdrift.coop to allow access to everything else.

So, the only things that are separate log-ins currently are wiki and GitLab (hence the title clarification).

As @fr33domlover mentioned, wiki is just awkward, and while we’d like it all integrated (and improved in a number of ways),

discussing the wiki status is a big topic

In short: we originally had an integrated wiki but it was beyond our scope to handle it. Gitit offered the best overall balance we could find. The core needs are git-backed, fully-FLO, and featureful enough for things like footnotes, hierarchy, and tags (GitLab’s built-in wiki has only a couple of these). If you want to discuss getting a better wiki situation, that should be a new topic.

Our GitLab instance could possibly offer sign-in with some extra outside services, but I’m not sure if we can practically tie it to the core Snowdrift.coop sign-in.

All that said: Most users (not active volunteer / team folks) will only use Discourse and the main Snowdrift.coop site (although we’d like to make wiki more accessible). It’s not awful to have the one extra git.snowdrift.coop account, although on balance it would be nice if SSO were an option.

Last note: the wiki can be edited through the git repo, so anyone with a git.snowdrift.coop account can submit wiki changes that way. So there’s really only two accounts needed: Snowdrift.coop and git.snowdrift.coop.

6

@wolftune Thank you. I was forgetting the main site login.

I’m not sure how log-on/off works under the hood, but it appears that “log out” is just a link. Further, if I’m logged into the main site, logging into Discourse is also, apparently, just a link (if I click it instead of manually logging in).

Just a thought:

EDIT: If everything is on the same server, there may be no need for Keycloak or cookies: perhaps the backends could all talk to each other by editing the same database / using API’s. That’d be a lot better than cookies. That way, the user doesn’t have to set the “sync” preference on each new machine.

If the above is true, it does not sound too difficult to implement a personal preference on the main site: that when you log into it, you also log into Discourse, and when you log out of the main site, you log out of Discourse.

If this personal preference plants a cookie, we could have a page before Discourse at community.snowdrift.coop. In the presence of the cookie, it passes your log-on to the main site & Discourse. In the absence of the cookie, it gives the normal log-in.

Thus far, no Keycloak involved. Next: integrate the main site’s login with Keycloak for GitLab, conditional to the aforementioned preference.

Again, I’m not sure how feasible all that is, but it sounds possible.

1 Appreciation