OAuth for Spinitron

KBOO · January 7, 2020, 9:53pm

Hi!

I am interested in trying to have Spinitron use OAuth - Open Authentication (like they do for this forum!) so that our hosts can login using their Google, Facebook or Github account - instead of having to have a separate login for Spinitron, for the KBOO website and for our volunteer management software…
Anyone else looking into this?
Tom at Spinitron says if enough stations request this feature they will look into adding it.

thanks!
jenka @KBOO

timlight10 · January 8, 2020, 12:16pm

I’m going to latch on here as we might be interested in integrating the University single sign on system with Spinitron if that is possible.

tom · January 8, 2020, 2:01pm

This is the kind of thing that can be really expensive to develop and maintain unless we strictly limit the specification. It’s also not clear how many stations would benefit. This forum thread allows others to chime in and allows us to elaborate the details.

We already use Google and Facebook as Oauth providers for guest login to chat and for search. But we limit it there. Each additional provider involves extra work because they are all different and they change from time to time. A campus single sign-on requires custom software for that particular client.

How would Spinitron integrate Oauth with the existing software? The Oauth login itself isn’t so hard. But users need a way to establish, cancel and renew their authorization of the external Oauth providers. Thinking about this I realized it could get pretty complex if we don’t limit the scope somehow.

First, Spinitron should keep using email addresses for user identity. Changing this would be complicated.

Second, Spinitron should offer user authorization of an external Oauth provider only in the password set and reset email transactions. Password reset is initiated with the “Forgot your password?” link on the login form. User invitation is initiated by a station manager with the “Add users” button on the manage users page.

In both cases Spinitron sends an email to the user including a link with a temporary one-time authentication token. The link loads a page with a form to set a password. I think we could add to that page an option to link a Google or Facebook account.

Consequences and details:

A user cannot authenticate with Oauth within the self-service user account creation forms.
A user invited to Spinitron by a station manager using the “Add users” feature receives a welcome email with a “set password” link.
A user who uses the reset password feature receives an email with a “reset password” link.
Both of these link to roughly the same thing, a page that allows you to set a (new) password or authorize an external Oauth provider.
A user can have only one means of authentication established at a time: password, or Google, or Facebook. Thus setting a password cancels Oauth; linking Google cancels password and Facebook; linking Facebook cancels password and Google.
An existing Spinitron user who wants to switch to Oauth uses password reset.
A user can de-authorize an Oauth provider using password reset.

I’m not committing to implementing this. I’m just elaborating the request into specification of one idea for an implementation for the sake of discussion.

timlight10 · February 3, 2020, 6:23pm

Our app uses either CAS or SAML. Is this a possibility with Spinitron?

tom · February 3, 2020, 9:24pm

It is technically possible but adds even more complexity to the development outlined above.

So far my impression is that this will be a lot of work and I’m far from convinced that it’s justified.

timlight10 · February 4, 2020, 2:53am

This is not enough of an issue for us to pursue then. Thanks for the input and consideration