Hi Simo, On Mon, 22 Apr 2019 at 20:39, Simo Sorce <simo@xxxxxxxxxx> wrote: > > Any reason why oidc is required instead of a simple GSSAPI (via > mod_auth_gssapi) ? > GSSAPI authentication won't require a graphical session to work. The main reasons for going with OIDS rather than GSSAPI are: 1. User support: we have had a *lot* of contributors that had issues using GSSAPI for Fedora, often because they have older or employer-specific krb configurations: a lot of them are for example missing the "includedir /etc/krb5.conf.d" and the dns_kdc_lookup options. One other very common occurrence are the dns_canonicalize_hostname and rdns options: the Fedora defaults for these options are required for the Fedora Infra krb5 to work, but a lot of employers set (or even require) these to be set to "true". Fedora Infra is unable to work with these options set to true, because we have a lot of nodes for which we do not control recursive DNS, in addition to the fact that we have the exact same set of entry points for all services, which means reverse DNS is useless. 2. With the upcoming account system change (to be backed by FreeIPA) our plan is to start requiring 2 factor auth for some groups (primarily the system administrators, it'll be opt-in for other users), and then we want to be able to enforce using the same 2fa tokens for any access. The 2FA scheme that we are solely planning to support is U2F/FIDO2, and to the best of my knowledge there has so far not been any work on integrating this with any krb5 server. The current plan is to integrate the 2FA flow into the identity provider, and have it enforce and check the tokens. Using OpenID Connect for this login would mean that we get the 2fa enforcement "for free". Also, please note that there are concrete plans to lift the requirement for a graphical session for OpenID Connect tokens, but that would be part of the same authentication work. Patrick _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx