Re: Using postgresql.org account as an auth id on third party websites

On 18/9/19 9:08, Stephen Frost wrote:
> Greetings,
>
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>> On Wed, Sep 18, 2019 at 12:25 AM Álvaro Hernández <aht(at)ongres(dot)com> wrote:
>>> On 17/9/19 14:14, Jonathan S. Katz wrote:
>>> Fair enough. Now.... I'd like not to waste any resources before
>>> having that "longer conversation" then, which I hope it is not that
>>> long. We're building a user authentication system on top of
>>> https://postgresqlco.nf that will use external id providers like Google
>>> Account, Twitter and others. We'd like to provide postgresql.org
>>> community account as a first-class citizen authentication mechanism,
>>> since this is something for the PostgreSQL Community as a whole. If this
>>> is possible, great! If not, we should know asap and stick with the other
>>> providers only --but I hope should not be a big deal.
>> So far, we have only approved services running fully managed by the
>> infrastructure team to handle this. Some of them are managed by different
>> organisations (such as PostgreSQL Europe or PostgreSQL US), but since they
>> are running on the main infrastructure there the team has the ability to
>> reach and manage all the data.
> I'd also point out that those other organizations are recognized
> Community Non-Profits, and/or running Community recognized conferences.
> That isn't an explicit 'policy' about what we run on pginfra or what
> pginfra manages or is willing to tie things into, just to be clear, but
> I do think it provides a good set of examples.

    If there isn't such a policy, TBQH I don't think this is an example
of anything. And if there would be a policy, I believe that being a
Community Non-Profit and/or running a Community conference should not be
requisites for being able to use postgresql.org login. Why should they
be related at all? If anything, this is about providing *conveniency*
for PostgreSQL users to log into third party services without having to
depend on other third party authentication providers which whom those
users may feel less comfortable.

    FWIW I also organize a Community Recognized Conference
(https://pgibz.io)

>
>> Right now, the system isn't really set up to handle things outside of that,
>> as some things (particularly in relation to our new friend the gdpr) are
>> handled completely manually and are not in the system. There are a number
>> of things that should be implemented before doing something like that, such
>> as the ability to push out a forced account delete (no API for that now).
>> Or at the very least, a second level of consent about sharing data in an
>> irretrievable way.
> Yes, there's some technical bits too, but that might be something we
> could work out a solution to.

    Good, I'm all ears. But I'm still surprised that technical bits are
not required for PostgreSQL EU / US, they are separate entities and
those bits (at least from a legal perspective) should apply equally.

    Álvaro

--

Alvaro Hernandez

-----------
OnGres