142
edits
Changes
Jump to navigation
Jump to search
Created Roadmap
There are no guarantees regarding the stability of any of the provided services.
__toc__
=== Roadmap ===
The current main goal is to Provide a well-integrated user management system, so that other projects can be implemented on top of it.
Zombi has used an LDAP-based user management for the last 10 Years, and it has proven to be stable so far. However there are some shortcomings that became apparent:
* Users need to have mandatory attributes, such as <code>given_name</code> and <code>last_name</code>, which are not really of great interest for us, and should be left out for data protection reasons in the future.
* All services using LDAP need to handle user passwords; this becomes a problem when one of these services is compromised.
* Only password-authentication is supported; Multi-Factor authentication can not be implemented, and neither can alternative login methods (such as key or certificate-based authentication).
* New attributes cannot easily be added to user accounts.
==== Keycloak ====
Until all the required components are finished, A Keycloak server is be set up for authentication. After all the core features can be handled by the auth system, it will disappear again.
==== OAuth2 Service ====
This component will deal with authorizing and authenticating the clients. It will have no GUI and will be configured via an API, in order to keep it simple.
==== Consent UI ====
This component displays Login and consent forms for the OAuth2 Service. It is also responsible for mapping scopes to attributes to the access_token and oidc_token.
==== Registration ====
Either handled via the consent UI itself or a dedicated service.
==== User self-service endpoint ====
Allows the user to:
* Change password
* Add new email addresses and verify them
* Change primary email
* Add TOTP
* Add oauth2 clients for own projects
* See and modify own profile (firstName, lastName, displayName, address, phone, xmpp, website…)
* See own attributes (credit, quotas, permissions…)
==== Client registration ====
Handled via shell scripts for now, will be handled via the user self-service endpoint.
