Re: Using postgresql.org account as an auth id on third partywebsites

On 18/9/19 9:08, Stephen Frost wrote:
> Greetings,
>
> * Magnus Hagander (magnus@hagander.net) wrote:
>> On Wed, Sep 18, 2019 at 12:25 AM Álvaro Hernández <aht@ongres.com> wrote:
>>> On 17/9/19 14:14, Jonathan S. Katz wrote:
>>>       Fair enough. Now.... I'd like not to waste any resources before
>>> having that "longer conversation" then, which I hope it is not that
>>> long. We're building a user authentication system on top of
>>> https://postgresqlco.nf that will use external id providers like Google
>>> Account, Twitter and others. We'd like to provide postgresql.org
>>> community account as a first-class citizen authentication mechanism,
>>> since this is something for the PostgreSQL Community as a whole. If this
>>> is possible, great! If not, we should know asap and stick with the other
>>> providers only --but I hope should not be a big deal.
>> So far, we have only approved services running fully managed by the
>> infrastructure team to handle this. Some of them are managed by different
>> organisations (such as PostgreSQL Europe or PostgreSQL US), but since they
>> are running on the main infrastructure there the team has the ability to
>> reach and manage all the data.
> I'd also point out that those other organizations are recognized
> Community Non-Profits, and/or running Community recognized conferences.
> That isn't an explicit 'policy' about what we run on pginfra or what
> pginfra manages or is willing to tie things into, just to be clear, but
> I do think it provides a good set of examples.

     If there isn't such a policy, TBQH I don't think this is an example 
of anything. And if there would be a policy, I believe that being a 
Community Non-Profit and/or running a Community conference should not be 
requisites for being able to use postgresql.org login. Why should they 
be related at all? If anything, this is about providing *conveniency* 
for PostgreSQL users to log into third party services without having to 
depend on other third party authentication providers which whom those 
users may feel less comfortable.

     FWIW I also organize a Community Recognized Conference 
(https://pgibz.io).

>
>> Right now, the system isn't really set up to handle things outside of that,
>> as some things (particularly in relation to our new friend the gdpr) are
>> handled completely manually and are not in the system. There are a number
>> of things that should be implemented before doing something like that, such
>> as the ability to push out a forced account delete (no API for that now).
>> Or at the very least, a second level of consent about sharing data in an
>> irretrievable way.
> Yes, there's some technical bits too, but that might be something we
> could work out a solution to.

     Good, I'm all ears. But I'm still surprised that technical bits are 
not required for PostgreSQL EU / US, they are separate entities and 
those bits (at least from a legal perspective) should apply equally.


     Álvaro

-- 

Alvaro Hernandez


-----------
OnGres