On 12 Jul 2017, at 15:31, Magnus Hagander <magnus@hagander.net> wrote: <snip> > OpenID is not, OAuth 2 is. > > Google, Github and Facebook all speak OAuth 2. I have working implementations for both Google and Github, so I'm sure it would be easy enough to make one for Facebook. I will see how much work it is to move that code over instead of using the Google javascript API that I did now. TBH, it's probably *easier* because it's not javascript :)
As a thought, we could implement something like Auth0 (auth0.com), which does OAuth2 and provides a login for Google, FB, LinkedIn, GitHub, and others.
I fail to see what it really adds, over one more thing that can break, and one more data collection point. For us, that is -- I can certainly see other cases.
Pro's *****
* Pretty simple to implement * It has a reasonable management interface for picking and choosing with auth providers to allow (eg we can choose GitHub, Google, FB, and no enable others)
* The management interface has reasonable reporting too, to show user activity, stats, etc
So far that's all covered by talking oauth directly. So the only thing there they'd actually add is about 4-5 URLs and decoding of a trivial js structure.
* Free for Open Source projects
For now.. And AFAICT only for the cloud services, not the on-premise/installed one.
* They're PG friendly, with instructions for using PG in their setup docs :)
Now *that* is always nice :)
Con's *****
* Not Open Source, though their setup examples and other supporting bits are on GitHub
* Another in-between service that can go down
* Another cloud service holding our users data (they're clearly already happy with google/facebook/whatnot, but forcing an intermediary on them for no large benefit will certainly result in questions if not complaints)
But in the end -- it just seems like a massive overkill for what's actually a simple problem. All the actual *complexity* is on our side anyway (because we want to keep supporting local users), and it's not making that part any easier.