Immediate goal is to support the OAuth-based integrations (JIRA and Asana). We can't really do anything about, say, VPN'd on-premesis JIRA installs, but anything accessible over the public internet can work, and Asana can always work.
To get these integrations working, we need to let instances have Asana and JIRA auth providers. However, they shouldn't permit registration (all user accounts should be tied to central Phacility accounts). In the Asana case, you must also edit locked configuration to enable the integration, and there's no way for administrators to do that right now.
The simplest approach is probably:
- Build admin console workflows for configuring JIRA and Asana.
- After an instance administrator makes updates, sync the instance.
- When an integration is configured, the sync creates or enables the respective auth provider, configuring it correctly and forcing it to login-only.
This also allows users to log in to their instance with their JIRA/Asana OAuth credentials instead of their Phacility credentials.
The tougher part is allowing login to a Phacility account with OAuth credentials, and how this is generally likely to be confusing:
- We could simply enable this, but the account link won't (and can't) synchronize to instances, which feels confusing.
- We can't ever do it for JIRA, unless we change how central auth works and pre-prompt you for an instance, which defeats the whole purpose of central auth.
- Maybe we just don't?
Leaving central auth as username+password generally feels OK to me, but the downside is that the signup workflow is now involved:
- Administrator invites all users via email.
- They accept the invite and register username + password accounts with no prefilling.
- They click through to their instance.
- Currently, they'd be given a choice between central OAuth (correct) and Asana (wrong), but we could remove this choice.
- They go through central OAuth, then need to know that they have to go to Settings to link an external account, although this doesn't feel too messy.
- If they survive this intake gauntlet, mycompany.phacility.com starts working in a reasonable way, although every time they try to log in they now have a similar choice between central OAuth (probably harder) and Asana OAuth (probably easier). But I think that's comprehensible.