You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: engineering/passports/id/DESIGN_DOC.md
+26-11Lines changed: 26 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@
4
4
5
5
## Objective
6
6
7
-
Creating a universal authentication system for Purdue Hackers.
7
+
Create a universal authentication system for Purdue Hackers.
8
8
9
9
## Background
10
10
@@ -14,30 +14,37 @@ Many Purdue Hackers projects necessitate keeping track of people’s identities
14
14
15
15
### Stakeholders
16
16
17
-
Anyone with a passport and all Purdue Hackers projects that require signing in.
17
+
Anyone with a passport and all Purdue Hackers projects that require consistent identity tracking.
18
18
19
19
### Existing Solutions
20
20
21
-
-Using other auth providers (Google, Github)
21
+
-Continuing to use our self-hosted Authentik instance: High friction, does not fit the Purdue Hackers ethos of making our own solution for the fun of it
22
22
23
23
### Alternative Solutions
24
24
25
-
- Using other auth providers
25
+
- Using public OAuthproviders (Google, Github): Have usage limits and other restrictions that would make them a pain to deal with.
26
+
- Integrate into Authentik: This is something that was considered but we would still rely on Authentik and this solution would likely end up with ID becoming irrelevant as more people would likely rely on Authentik's other options.
- Usable in a secure manner when necessary, configurable on a per-client basis
36
+
- Some site could require 2FA for all sign ins and force users without it to add it before continuing
37
+
- Use either TOTP or Webauthn (https://github.com/kanidm/webauthn-rs)
36
38
- Store passport data and manage which one is active for each user
39
+
- A user management interface
40
+
- Metrics and event logging (metrics exportable to some TBD software, events with a webhook)
41
+
- Exact contents of metrics and event logging to be determined later
42
+
- Groups integration through OIDC spec (allows any application with the `user:read` scope to query a user's groups and take action on them)
43
+
- Future: Hook system, execute python code on certain events (ex. on:login, on:logout, on:usermanage) to modify data or deny request
37
44
38
45
### Non-Goals
39
46
40
-
- Be cryptographically secure with just passports (out of scope, complicated, and expensive)
47
+
- Be cryptographically secure with just passports (unnecessary when secure 2FA is available)
41
48
- Be the central hub for data storage with regards to each Hack Night attendee.
42
49
43
50
### Constraints
@@ -59,20 +66,28 @@ Each user can have an arbitrary number of passports associated with them but onl
59
66
60
67
A basic interface reminiscent of other current sign in platforms will ask the user if they want to approve the connection with the target app and list the scopes the app is requesting after they verify ownership of their passport. Passport ownership is verified by entering the passport number then scanning the passport with a phone to contact the server and allow the sign in.
61
68
69
+
The user management system will allow a user to enroll/unenroll from 2FA and manage aspects of their profile as well as adding their own clients to work with ID (with some restrictions on scopes to protect sensitive information). The admin side will allow arbitrary user operations (enable/disable, see 2FA, etc).
70
+
71
+
The metrics and events system, groups, and (future) policies will be customizable from the admin dashboard.
72
+
62
73
### Deployment
63
74
64
75
Users can integrate with ID using the example repo as a base.
65
76
66
77
## Milestones
67
78
68
-
- Full OAuth support within a month
69
-
- Easy integration instructions/example within a week afterwards
79
+
- User management
80
+
- Arbitrary user 2FA enrollment
81
+
- Advanced client management system
82
+
- Metrics and events active
83
+
- Groups API
84
+
- Future: Policies system
70
85
71
86
## Additional Considerations
72
87
73
88
### Security
74
89
75
-
Passports are not secure since they just use basic NFC tags. For most things this is fine but for high-security apps it is possible to swipe an administrator’s passport and scan it when asked. Therefore administrators will be required to have two-factor authentication (TOTP specifically) enabled on their account for all integrations.
90
+
Passports on their own are not secure since they just use basic NFC tags. For most applications this is fine but for high-security apps it is possible to swipe an administrator’s passport and scan it when asked. Therefore, apps can require two-factor authentication if they necessitate secure authentication but if the session is 2FA authenticated then the cached version will be accepted. If the session is not 2FA authenticated then an upgrade will be attempted.
0 commit comments