Auth0 as security provider
Status | Not started |
|---|---|
Impact | High |
Driver | @Fabrizio Bellicano |
Approver |
|
Contributors | @Sergey Peshkov |
Informed |
|
Due date | |
Outcome |
Background
Currently our security is created in-house. While the system probably (I cannot audit it; nor could vouch for it as I don’t have the skillset/time to learn;) is made following the standards, it is still an unwise choice to reinvent the wheel when systems are already created. Such systems (e.g. Keycloak) are also open-source and trusted/used in enterprise applications; Some systems are even provided by companies (e.g. Auth0) greatly simplifying the process of configuration. The security of the data is their whole business.
Given the circumstances where we as AEGEE are entitled to the Auth0 plan for Open source, and therefore we pay nothing for a business plan, it would be even more unwise to not take advantage of it.
Note:
While at the beginning we thought we could use MyAEGEE API to login, it is possible that we would need to change the login method in order to accommodate SSO. This provides still no data security problem, as the only exchanged data would be username and password.
Relevant data
https://auth0.com/docs/sso/current
Options considered
| Option 1: | Option 2: |
|---|---|---|
Description | Auth0 as provider | Provider stays the same |
Pros and cons | Risk: Low We can still retain control of our data; if we decide to delegate it to Auth0, it will be only username/password (no personal data) Takes long-ish to implement | Takes no time No SSO in short times |
Estimated cost | Large | none |
Estimated risk | Low | High |