Re: Using postgresql.org account as an auth id on third party websites

On 18/9/19 3:45, Magnus Hagander wrote:
> On Wed, Sep 18, 2019 at 12:25 AM Álvaro Hernández <aht(at)ongres(dot)com
> <mailto:aht(at)ongres(dot)com>> wrote:
>
>
>
> On 17/9/19 14:14, Jonathan S. Katz wrote:
> > On 9/17/19 11:54 AM, Álvaro Hernández wrote:
> >>
> >>      Great, thank you Jonathan.
> >>
> >>      Now.... how do we register with the "central system"?
> > Well, first make sure that it works :)
> >
> > I've not handled the registration process myself, but to test
> it, ensure
> > you can authenticate against the test pgweb instance you've set
> up. You
> > can configure it from the "Community auth sites" and "community auth
> > orgs" part of the admin. So once that works, I think there can
> be the
> > conversation of actually registering with the "central system."
>
>      We can do that, no problem.
>
> >
> > To date, apps that use community auth have been within pginfra
> (AFAICT),
> > so to "formally request" it probably involves a longer conversation,
> > either here or with webmaster@ as the process of doing so has
> not been
> > exercised yet.
>
>      Fair enough. Now.... I'd like not to waste any resources before
> having that "longer conversation" then, which I hope it is not that
> long. We're building a user authentication system on top of
> https://postgresqlco.nf that will use external id providers like
> Google
> Account, Twitter and others. We'd like to provide postgresql.org
> <http://postgresql.org>
> community account as a first-class citizen authentication mechanism,
> since this is something for the PostgreSQL Community as a whole.
> If this
> is possible, great! If not, we should know asap and stick with the
> other
> providers only --but I hope should not be a big deal.
>
>
> So far, we have only approved services running fully managed by the
> infrastructure team to handle this. Some of them are managed by
> different organisations (such as PostgreSQL Europe or PostgreSQL US),
> but since they are running on the main infrastructure there the team
> has the ability to reach and manage all the data.
>
> Right now, the system isn't really set up to handle things outside of
> that, as some things (particularly in relation to our new friend the
> gdpr) are handled completely manually and are not in the system. There
> are a number of things that should be implemented before doing
> something like that, such as the ability to push out a forced account
> delete (no API for that now). Or at the very least, a second level of
> consent about sharing data in an irretrievable way.

    Hi Magnus.

    You mention that this mechanism is already approved for different
organisations. Indeed, this is where I saw it in action and loved the
idea! But if it is approved for third-party (from a legal perspective)
organisations, I don't see why it would not be for other third-party
organisations. You mention GDPR and, if anything, that they are running
"on the main infrastructure" (i.e. the infrastructure of a separate
legal entity, I assume the PostgreSQL Canada Association) seems like
something which may have serious GDPR issues on its own. I understand
how things are down when being built, but have a look just in case ;)

    But back on topic, on what concerns my request: let's open this up
to any third party organisation --it has already been done. I don't see
why having "the team the ability to manage all the data" changes
anything. What I'm requesting access to is a system for third-party
authentication, similar to "login with Google" or any other auth
provider. There's no "forced account delete" mechanism that I'm aware
of, and there is little to no information sharing other than "hey,
please authenticate this person and let me know the boolean information
of whether that was successful or not" (optionally request name and
email, as other authentication providers do, that is PII, but that's
it). What auth providers do is a way to force delete a session (an
authentication token, which typically expires quickly, but could be
forcibly expired). This is optional, and in no way would force any
deletion on the third party (it is the user who should use the third
party's account deletion procedures).

    In summary: it is already opened to third parties, please help us
get to use it too, it's a very cool thing ;)

    Álvaro

--

Alvaro Hernandez

-----------
OnGres