Speaking of SSO and a draft blog post I’m writing that I think I’ll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) – I’ve been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an “Authentication backend” / “Identity Provider”.
Thoughts? 🤔
Btw, did you know that most (all?) Yarn.social pods are *actually already working IndieAuth Identity providers and you can auth against your own pod to anything that can use Indie Auth? 😅
@abucci@anthony.buc.ci I think it would solve a lot of problems for me too 👌 Maybe you could help think of a minimal feature set of “must haves” and “nice to haves” and “optional features”? That would help understand my use-case and yours and maybe anyone else that might need something like this (I suspect more than just you and i)
@abucci@anthony.buc.ci As a fun fact, Sandstorm is neither RBAC or ACL, it uses object capabilities, which is a superior but niche model also seen in Google’s Fuchsia and a very limited number of random things since the 1980’s.
@prologic@twtxt.net I really like Active Directory still. Mostly for Group Policy though, which only works on Windows.
@ocdtrekkie@twtxt.net Well you would Haha 🤣 Since that’s the “space” in which you work right? 🤔 But yes pretty useless outside of Windows really 😂
@abucci@anthony.buc.ci What I’ve learned in production is the apps need to be built or heavily modified to truly support object capabilities. We’ve packaged numerous apps for Sandstorm, but the best experience is still apps written to work in that environment, even if they aren’t as feature-heavy.
@ocdtrekkie@twtxt.net And that’s half the other problem I have too:
but the best experience is still apps written to work in that environment, even if they aren’t as feature-heavy
This increases frictions for developers writing apps for or packaging or modifying existing apps for Sandstorm.
@abucci@anthony.buc.ci Hnnnn kind of wondering whether your list of requirements are a bit over-scoped? Services? How would that play with something that is essentially OAuth2 flows (IndieAuth)? Also are Roles basically Groups in your head? 🤔
@prologic@twtxt.net True, though it becomes less of a problem once people realize writing apps with traditional security models is bad and everyone does it our way. ;)
The challenge with changing the world is overcoming momentum.
@ocdtrekkie@twtxt.net You may be right in that Capability based Security is the “better” way of securing applications and data access, sure, but we do probably need to innovate here, right now I feel like I’m at a point where my understanding of and experience with CAS (if that’s a valid acronym for this?) is limited and whilst I will continue to think about it, I’m unlikely to adopt the Sandstorm model as-is.
@prologic@twtxt.net The official lingo is ocap for object capabilities. And FWIW that is still IMHO just a need for better implementation by Sandstorm: Capabilities done right actually cause a lot less friction than ACLs!
@abucci@anthony.buc.ci Oh wait a damn minute 😅 I was only talking about the “Authentication” / “Identity” part here. The RBAC / Roles you’re describing here are handled quite nicely by Authelia – What I was thinking of was to write an Authentication backend for Authelia (as an alternative to LDAP or the YAML users file). That’s all 🤣 Let Authelia handle all the RBAC and ACLs.
@abucci@anthony.buc.ci Although that being said, I think your wish-list is definitely a v2 of something like what I described + Authelia and maybe a few extra tidbits? 🤔
@abucci@anthony.buc.ci Yup 👌 Get that working well, then one day (maybe?) combine the two into a single thing? 🤔
@abucci@anthony.buc.ci Yup! 👌