Page MenuHomePhabricator
Create Task
Maniphest T11334

Add support for Ipsilon as an Auth Provider
Closed, WontfixPublic
Actions

Description

I admin a phabricator instance which has been utilizing Persona to auth against our existing user system. Unfortunately, that is the only supported auth mechanism which Phabricator currently supports and is an option for us and I'm looking for another option before Persona stops working entirely.

The actual authentication is handled by an instance of Ipsilon which is designed to provide SSO to applications and supports OAuth2, amongst other things (OpenID Connect, SAML2, OpenID, Persona).

Instead of adding support for yet another OAuth setup, I'm proposing support for Ipsilon which has a predictable set of URIs (token uri, user info uri etc.) given a known base. Ipsilon is a standard OAuth2 provider and support for ipsilon should be a relatively straight-forward extension of the existing support for OAuth2.

I'm going to be writing some code to support this anyways and since and Ipsilon auth provider could be useful to more people than just us, I figured I would see if you would be interested in such a patch.

Related Objects

Event Timeline

tflink renamed this task from Add Auth Support for Ipsilon instances to Add support for Ipsilon as an Auth Provider.Jul 15 2016, 5:22 PM
tflink created this task.
epriestley closed this task as Wontfix.Jul 15 2016, 5:34 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

We aren't interested in maintaining this since we haven't seen other interest in it, but feel free to add it to Community Resources.

Unless a provider is exceptionally popular, I expect we will bring very few additional providers upstream. Providers can be written entirely as extensions, and should be more manageable after T5055.

tflink added a comment.Jul 15 2016, 5:58 PM

I can understand that, thank you for responding and explaining.

Persona is going away entirely in a few months and isn't working well at the moment either, so I need to do something and I' hoping that you may have a suggestion on how to proceed.

The last time I asked about extensions on IRC, I understood the response to be "don't ask about extensions here, they're not supported, use at your own risk but you won't get any help here". T5055 doesn't sound like it's going to be solved soon so I suspect that's not going to be an option in the timeframe I need.

Are you aware of any other options for us other than maintaining my own fork of phabricator/arcanist/libphutil or blindly poking at extensions to figure out how they work for now, knowing that whatever I write may break without warning until T5055 is resolved?

epriestley added a comment.Jul 15 2016, 6:47 PM

Community Resources has some other working examples of auth extensions and Adding New Classes explains how to write them today. But there's no formal support until T5055 / T5447.

If you'd like us to write an extension for you or help you write an extension, you can pay us for support (see Consulting).

tflink added a comment.Jul 15 2016, 7:15 PM

Just to make sure that I was clear enough in my initial request - Ipsilon is not an OAuth2 provider in the same way Github or Asana is.

Ipsilon is a system which provides an OAuth2/SAML2/etc. interface on top an existing user auth system, offering a way to have some SSO capability without completely rewriting an existing auth system. It's the closest thing I know of to generic OAuth2 support that's available right now.

Anyhow, thanks for the answers. I'll look at the existing plugins and figure something out.

epriestley added a comment.Jul 15 2016, 7:18 PM

Ipsilon support would almost certainly take the form of an auth adapter. Phabricator auth adapters are not restricted to OAuth2: they include LDAP, username/password, OAuth1, and Persona (and T814 has examples that include HTTP Basic / Kerberos-via-HTTP Basic).

Phabricator · Built by Phacility