[New Auth] - Create list of options for new authentication system. #815

New Issue

Open

opened 2024-03-02 16:14:57 +01:00 by muppeth · 4 comments

muppeth commented

2024-03-02 16:14:57 +01:00

Owner

Choosing new authentication system should begin from gathering as much information as possible before any serious work is done to save on resources.

Criteria (wip)

The main criteria we are looking at are as follows:

OpenID compliant
Possibility to enable two factor authentication
Possibility to enable/disable services by user
Possibility to register usernames
Self service center
- Create aliases
- Manage custom domain
- Manage password
- App passwords
Assign storage space for users
Assign custom domain attributes

Candidates (wip)

From our current investigation we have decided to look into the following:

The purpose of this task is to:

Finalize criteria list
Finalize candidates list
Check each candidate against the criteria
Draw conclusions for further work.

Once the task is complete, depending on the outcome following tasks will be created based on the guideline from #780

Choosing new authentication system should begin from gathering as much information as possible before any serious work is done to save on resources. ## Criteria (wip) The main criteria we are looking at are as follows: - OpenID compliant - Possibility to enable two factor authentication - Possibility to enable/disable services by user - Possibility to register usernames - Self service center - Create aliases - Manage custom domain - Manage password - App passwords - Assign storage space for users - Assign custom domain attributes ## Candidates (wip) From our current investigation we have decided to look into the following: - [Canaille](https://gitlab.com/yaal/canaille) #655 - [Zitadel](https://zitadel.com) #654 - [Keycloak](https://www.keycloak.org) #653 - [LemonLDAP](https://lemonldap-ng.org/) #673 The purpose of this task is to: - Finalize criteria list - Finalize candidates list - Check each candidate against the criteria - Draw conclusions for further work. Once the task is complete, depending on the outcome following tasks will be created based on the guideline from #780

muppeth added the

Goal 2024

label 2024-03-02 16:14:57 +01:00

muppeth added the

New Auth

label 2024-03-02 16:17:17 +01:00

muppeth added this to the 2024 Goal - New Authentication system project 2024-03-02 16:17:22 +01:00

hrmo commented

2024-04-04 20:20:21 +02:00

@muppeth It might be nice to have support for FIDO2 integration added to this list of criteria.

avg_joe commented

2024-04-04 21:24:11 +02:00

Owner

something that creates a one time code during account creation with that user can reset their password with themself would be a nice feature

hrmo commented

2024-04-04 23:16:35 +02:00

@avg_joe Wouldn't such a code be more troublesome (and less secure) than the current security questions required for a password reset? https://user.disroot.org/pwm/public/forgottenpassword

Plus, for those who prefer a code, that can still be a custom question they can add when setting up their prompt answers.

@avg_joe Wouldn't such a code be more troublesome (and less secure) than the current security questions required for a password reset? https://user.disroot.org/pwm/public/forgottenpassword Plus, for those who prefer a code, that can still be a custom question they can add when setting up their prompt answers.

avg_joe commented

2024-04-04 23:57:01 +02:00

Owner

@hrmo why do you think it would be less secure? it is very often used for example with 2FA. besides i think the answers to security questions can be "hacked" by social engineering. so i'm not that confident about their level of security.