Post B1PRToBqGrJ742ZsYa by semitones@tiny.tilde.website
(DIR) More posts by semitones@tiny.tilde.website
(DIR) Post #B1PQ992PSpZpgfkTpI by futurebird@sauropods.win
2025-12-19T11:38:46Z
0 likes, 0 repeats
The CS club is excited to set up new services on the student intranet at our small grade school. Currently the school uses google for authentication. We can talk about how that isn't ideal, how google is bad etc. but the student club can't change this and neither can I.So, any service they create will need to use that same authentication service. (we do not want to run annon services, or have students register again)Anyone have experience doing this on a small scale?
(DIR) Post #B1PQ9A73T2t31Mvhho by futurebird@sauropods.win
2025-12-19T11:42:07Z
0 likes, 0 repeats
I used to be a bit of a hack PHP web dev in my awkward private sector days. I can show them how to make all kinds of things using PHP. I think making a "whiteboard" basically a single wikipedia page with anyone can edit with history that uses google authentication would be a good first project for me. I don't really want them to waste much time learning the details of any authentication. service or language. These are fleeting things.
(DIR) Post #B1PQ9BAzVtd6JrmMTo by futurebird@sauropods.win
2025-12-19T11:44:28Z
0 likes, 0 repeats
There is a labor of love for any dev who'd make a FOSS universal authentication service that institutions like schools would WANT to use. Until that happens the reality is google dominates and everyone uses it, by not playing along nice with it? It's just isolationism.
(DIR) Post #B1PQ9Bu0oVdsZUqJea by futurebird@sauropods.win
2025-12-19T11:48:40Z
0 likes, 0 repeats
*evil grin expands*Could one use google's authentication API to make a service people could sign up for that would be independent of google authentication?A kind of escape hatch?Your ordinary computer user will balk at "signing up" and filling out forms. It's one of the greatest barriers to getting people "on here" among other places. I recently went through the sign up process on the fedi with an adult friend and frankly it's unacceptable.
(DIR) Post #B1PQ9CaCHfO0gKa0PI by flashesofpanic@ruby.social
2025-12-19T12:53:37Z
0 likes, 0 repeats
@futurebird So... auth* is genuinely difficult. It's really two projects, authentication (you are who you say you are) and authorization (this authenticated user is allowed to read/write/execute this resource). I think explaining this to your CS club kids is good and might lead some of the curious ones to look into it more deeply.
(DIR) Post #B1PQ9JqPHnVnCdDY92 by flashesofpanic@ruby.social
2025-12-19T12:58:14Z
0 likes, 0 repeats
@futurebird You'll need to do authorization for your project(s), authorization is hard to outsource. But every employer I've had since grad school has outsourced authentication (Google or MS) because it's HARD to do correctly and these companies have it *solved*. (The thing that worries me is that by relying on them, we risk losing the skill that solved it, just like fewer and fewer admins want to run mail servers.)
(DIR) Post #B1PQC6udp2gzxrWsGP by BillySmith@social.coop
2025-12-19T12:33:39Z
0 likes, 0 repeats
@futurebird Take a look here: https://coopcloud.tech/ They have authentication services, as well as a range of FLOSS equivalents to proprietary software. :D @autonomic can tell you more. :D
(DIR) Post #B1PQuiYdDiazSaVLyS by operand@todon.nl
2025-12-19T14:34:24Z
0 likes, 0 repeats
@futurebird independent of the various standards that exist for authentication and authorization, you can absolutely do this, and many open source webapps *already do* (if i understand your post correctly which i might not have) you need some kind of model of what a user is internal to your application, and then map your various authentication sources (username/password, "log in with google", "log in with facebook", OpenID Connect, etc) onto that internal user model.this is very doable but also quite a bit of work, and worse, quite a bit of *security-critical* work.
(DIR) Post #B1PRToBqGrJ742ZsYa by semitones@tiny.tilde.website
2025-12-19T12:59:36Z
0 likes, 0 repeats
@futurebird there is a great story about how stack overflow started out supporting openID, but this was too fraught and they scaled back to Oauth. I don't understand the technology myself. Blog post: https://stackoverflow.blog/2010/04/13/openid-one-year-later/I think if you use yunohost that has a login mechanism that unifies the logins into services on that server. Maybe it is LDAP? Idk
(DIR) Post #B1PSZR0TTkcar0VVTM by vga256@mastodon.tomodori.net
2025-12-19T11:48:36Z
0 likes, 0 repeats
@futurebird why not start with what you're already familiar with - there are several php-based OAuth clients out there, including google's official one here https://github.com/googleapis/google-auth-library-phpif you're looking for something written in php that's wikipedia-like and supports browser edits, kiki does that. i wrote it with that functionality specifically in mind: https://tomotama.com/kikibrowsing the source might at least give you some ideas on implementing it yourself.
(DIR) Post #B1PSgMDlfb9w2T1gFk by jonquass@techhub.social
2025-12-19T13:10:09Z
0 likes, 0 repeats
@futurebirdGoogle already lists PHP libraries you can use to implement OAuth2 with for your projecthttps://developers.google.com/identity/protocols/oauth2/web-server
(DIR) Post #B1PUOoBVACx1Sgj41w by rbairwell@mastodon.org.uk
2025-12-19T11:50:13Z
0 likes, 0 repeats
@futurebird I know the UK education sector tends to use Shibboleth https://www.ukfederation.org.uk/ / https://www.shibboleth.net/ : I last interacted with it around 15 years ago when it wasn't available for external partners, but I believe that's changed.
(DIR) Post #B1PUn1v7kIJR0qcC24 by jerzone@techhub.social
2025-12-19T12:08:03Z
0 likes, 0 repeats
@futurebird Buying vitamins the other day and first words from cashier, “phone number?”Er, no.Then at the end, "email address for receipt?”The email question shows up a lot during checkout now. The thing is, even if you give it to them they’ll either still ask you every time OR they’ll use it with other info they've deduced to make your new “account”.
(DIR) Post #B1PWJrPBxeYxuYtibo by JessTheUnstill@infosec.exchange
2025-12-19T12:17:34Z
0 likes, 0 repeats
@futurebird I mean, that's just Oauth. The tech has been an industry standard for decades in corps (That's what happens under the hood with "Sign in with SSO"), it just would require users and site owners to decide to support yet another auth mechanism.
(DIR) Post #B1PWJxnWC7aRjkKEMK by JessTheUnstill@infosec.exchange
2025-12-19T12:26:35Z
0 likes, 0 repeats
@futurebird All the sign in with Google/Apple/Facebook nonsense is the same tech, just their logos slapped on top and their server name hard coded.
(DIR) Post #B1PWTluzDWp7myUmPY by ThreeSigma@mastodon.online
2025-12-19T15:36:44Z
0 likes, 0 repeats
@futurebird A bit. I used Auth0 as an intermediary, which allowed low volumes for cheap/free and was easier to set up than doing oauth2 from scratch. But that was a few years ago now.
(DIR) Post #B1PklxvmguE1cJREnI by th@social.v.st
2025-12-19T18:16:55Z
0 likes, 0 repeats
@futurebird for the v.st sites we run Keycloak that then provides authentication to mastodon, matrix, nextcloud, hedgedocs, immich, gitea, etc. Single Sign On is possible for self-hosted services, although you need to pick-and-choose based on the OIDC or OAuth2 support.
(DIR) Post #B1PsTragKCyMNDRlZo by Laust@ohai.social
2025-12-19T19:43:16Z
0 likes, 0 repeats
@futurebird I just stumbled over this: https://toot.cat/@plexus/115746591074215601Could that be of any use?