Changes

Jump to navigation Jump to search
2,038 bytes added ,  13:41, 13 March 2020
Created Roadmap
There are no guarantees regarding the stability of any of the provided services.
 
__toc__
 
=== Roadmap ===
The current main goal is to Provide a well-integrated user management system, so that other projects can be implemented on top of it.
 
Zombi has used an LDAP-based user management for the last 10 Years, and it has proven to be stable so far. However there are some shortcomings that became apparent:
* Users need to have mandatory attributes, such as <code>given_name</code> and <code>last_name</code>, which are not really of great interest for us, and should be left out for data protection reasons in the future.
* All services using LDAP need to handle user passwords; this becomes a problem when one of these services is compromised.
* Only password-authentication is supported; Multi-Factor authentication can not be implemented, and neither can alternative login methods (such as key or certificate-based authentication).
* New attributes cannot easily be added to user accounts.
 
==== Keycloak ====
Until all the required components are finished, A Keycloak server is be set up for authentication. After all the core features can be handled by the auth system, it will disappear again.
 
==== OAuth2 Service ====
This component will deal with authorizing and authenticating the clients. It will have no GUI and will be configured via an API, in order to keep it simple.
 
==== Consent UI ====
This component displays Login and consent forms for the OAuth2 Service. It is also responsible for mapping scopes to attributes to the access_token and oidc_token.
 
==== Registration ====
Either handled via the consent UI itself or a dedicated service.
 
==== User self-service endpoint ====
Allows the user to:
* Change password
* Add new email addresses and verify them
* Change primary email
* Add TOTP
* Add oauth2 clients for own projects
* See and modify own profile (firstName, lastName, displayName, address, phone, xmpp, website…)
* See own attributes (credit, quotas, permissions…)
 
==== Client registration ====
Handled via shell scripts for now, will be handled via the user self-service endpoint.

Navigation menu