As a contributor to the AUR website, I got wind of the SSO migration project from Lukas. The SSO migration was recently announced on arch-dev-public and notably contains the following statement:
In order to still allow users to keep their old contributions in cases where they can prove their identity via email, we'll build a new small web application that allows them to connect their new Keycloak identity to their other identities.
The wiki article mentions we need to verify the email addresses registered on AUR in order to merge them with something. I feel a bit concerned by these statements because I don’t think email addresses should be used to merge accounts, or that we should automatically merge accounts at all. We’ve always used username/password pairs as a primary authentication method, and suddenly altering the authentication method without explicit user consent doesn’t sound respectful.
Some users may have used the same email address at different places but may want to keep their accounts separate. Other users may have used different email addresses but may want their accounts linked. Other may have deleted their email address but still regularly use a service without ever noticing they forgot to update their account information.
I’d like to suggest a migration flow that should cover everyone’s case without making risky decisions, nor requiring prior email verification:
First, we’d introduce an SSO button to the login page, next to or in place of the username/password form. When the user picks SSO, they’d be redirected to the SSO login page, where they may create an SSO account or input their existing SSO credentials. On successful login, they’ll be redirected back to the original website. If the website detects it’s the first time the SSO account has logged in, it would display both a registration form targeted at new users, and a legacy credentials form targeted at previously existing users. If the user fills in their legacy credentials, their account will be linked to the SSO.
Note that email address verification would take place only in the SSO account creation, once and for all services. Also note that the user doesn’t need to visit an external website for linking accounts, since the first-authentication flow guides them throughout the migration process.
This is most certainly not the first time the account linking topic is brought up, but these are my two cents as a non-infrastructure-y developer. Whether we take this road or not, I plan to contribute to the SSO integration at least as far as AUR is concerned.