Giter VIP home page Giter VIP logo

Comments (3)

woodruffw avatar woodruffw commented on June 30, 2024

As a follow-on to the above: one of the proposed solutions here was to relax Sigstore/Fulcio's current "one-SAN" rule, and allow multiple SANs: zero or more per email associated with the account, plus an OtherName SAN for the username.

This would (in theory) be backwards compatible with existing clients, but might also cause breakage (since clients may currently assume only a single SAN) and introduces some ambiguity (it's unclear which among the SANs is "preferred," or whether they're all equally valid, as well as whether they all refer to the same logical entity.)

I think my personal preference here would be to preserve the "one-SAN" rule, and improve the OAuth/Dex flow page to emphasize the different kind of identity being obtained (e.g. have different sections for email vs. user identities). I'm not sure how hard that would be to do on the Dex side, through (is it possible to have the same IdP registered multiple times, but with different configurations for the resulting ID?)

from fulcio.

haydentherapper avatar haydentherapper commented on June 30, 2024

@wlynch suggested another format which would be using GHs noreply format used for private emails, [email protected]. This might be the best of both worlds - We get username, we get userid for immutability, the format is an email so no clients would need to be updated.

We'd need to patch our instance of Dex to include dexidp/dex#2618, and would likely still need to configure Dex to add both username and user ID.

from fulcio.

woodruffw avatar woodruffw commented on June 30, 2024

That solution is nice, although perhaps it should be all or nothing: having it be the user's primary email in some cases rather than the noreply email means that we lose the consistency of having a GitHub "username" identity that we can mangle out of the email identity.

Perhaps it's too much work, but IMO the ideal solution here is:

  1. Adopt dexidp/dex#2618 for the current GitHub IdP connector, plugging the privacy concern noted above;
  2. Add another GitHub IdP connector that supports username identities. Visually separate this one in the OAuth flow to help users avoid confusing the two.

OTOH, having two separate GitHub IdP connectors might cause a lot of user confusion, even if visually separated.

from fulcio.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.