[arch-devops] AUR and SSO login

[Frédéric Mangano-Tarumi]

Hello everyone,

As a contributor to the AUR website, I got wind of the SSO migration
project[1] from Lukas. The SSO migration was recently announced on
arch-dev-public[2] and notably contains the following statement:

> In order to still allow users to keep their old contributions in cases
> where they can prove their identity via email, we'll build a new small
> web application that allows them to connect their new Keycloak
> identity to their other identities.

The wiki article[1] mentions we need to verify the email addresses
registered on AUR in order to merge them with something. I feel a bit
concerned by these statements because I don’t think email addresses
should be used to merge accounts, or that we should automatically merge
accounts at all. We’ve always used username/password pairs as a primary
authentication method, and suddenly altering the authentication method
without explicit user consent doesn’t sound respectful.

Some users may have used the same email address at different places but
may want to keep their accounts separate. Other users may have used
different email addresses but may want their accounts linked. Other may
have deleted their email address but still regularly use a service
without ever noticing they forgot to update their account information.

I’d like to suggest a migration flow that should cover everyone’s case
without making risky decisions, nor requiring prior email verification:

First, we’d introduce an SSO button to the login page, next to or in
place of the username/password form. When the user picks SSO, they’d be
redirected to the SSO login page, where they may create an SSO account
or input their existing SSO credentials. On successful login, they’ll be
redirected back to the original website. If the website detects it’s the
first time the SSO account has logged in, it would display both a
registration form targeted at new users, and a legacy credentials form
targeted at previously existing users. If the user fills in their legacy
credentials, their account will be linked to the SSO.

Note that email address verification would take place only in the SSO
account creation, once and for all services. Also note that the user
doesn’t need to visit an external website for linking accounts, since
the first-authentication flow guides them throughout the migration
process.

This is most certainly not the first time the account linking topic is
brought up, but these are my two cents as a non-infrastructure-y
developer. Whether we take this road or not, I plan to contribute to the
SSO integration at least as far as AUR is concerned.

[1] https://wiki.archlinux.org/index.php/DeveloperWiki:SSOMigration
[2] https://lists.archlinux.org/pipermail/arch-dev-public/2020-May/029971.html

Regards,
-- 
fmang