add "social" login

[syjer]

• login with google
• login with twitter
• login with facebook

[vorburger]

Perhaps using http://www.keycloak.org?

[kivanov82]

Not sure if 'social login' feature solves a lot, well depending on what sort of users? For owners it doesn't solve a lot, there is no Organisation etc. Perhaps it would be nice for the ticket buyers, to speed up the purchase process?

In my case I need authorisation and authentication against my 3rd party platform, where there are: 'admins', 'owners', 'users'.
So the changes will be:

1. Form based security - to use external oauth2 auth server. This will give the user roles (same as alf.io ones), name etc, organisation. In the case of successful authentication user and org will be created in alf DB too.
2. Basic auth - add JWTAuthorizationFilter that will use the token provided (as a param, as done currently) to auth against oauth resource
3. Make it all switchable, in the profile perhaps

[cbellone]

@kivanov82 Yes, you're right. Perhaps "SSO using 3rd party services" would be more appropriate as title?

For owners it doesn't solve a lot, there is no Organisation etc.

If the subsystem can be enabled by the admin after the first login (which should be done using the auto-generated username/password), then we could let him/her define a whitelist of authorized email / domains.
This could come in handy in case the organizer is not a single person and has already an auth server somewhere.

Perhaps it would be nice for the ticket buyers, to speed up the purchase process?

Please note that currently alf.io doesn't manage (by design) the identity of the ticket buyer.
For v2 I agree that it could be a nice addition, but only if we can make it optional.

Just to be on the same page: what @syjer and I had in mind was adding another Spring Security handler for 3rd party authentication.
Something very similar to what @michael-simons did with KeyCloak:
http://info.michael-simons.eu/2017/12/28/use-keycloak-with-your-spring-boot-2-application/

This would require an update to Spring 5.x and Spring Boot 2.x, which we'll do as soon as we start the actual work on v2.

So the changes will be:
Form based security - to use external oauth2 auth server. This will give the user roles (same as alf.io ones), name etc, organisation. In the case of successful authentication user and org will be created in alf DB too.

in the blog post above, the actual authentication (either form-based or "social") is done on KeyCloak. Would this work also in your use case, or do you strictly require SAML-like authentication?

Basic auth - add JWTAuthorizationFilter that will use the token provided (as a param, as done currently) to auth against oauth resource
Make it all switchable, in the profile perhaps

Would you enable this only for requests coming from the mobile app?

[vorburger]

in the blog post above, the actual authentication (either form-based or "social") is done on KeyCloak. > Would this work also in your use case, or do you strictly require SAML-like authentication?

@cbellone I'm guessing one could even do SAML-like authentication through KeyCloak.

My Mr. KeyCloak colleague @sebastienblanc may like to chime in (Seb, cool project here).

[sebastienblanc]

@vorburger I know this project and I know @cbellone , we chatted at Devoxx Morocco ;) (World is small)

[cbellone]

implemented in: #881 .
We added support for OpenID-compliant IdP, like Keycloak or Auth0 & others.
See https://alf.io/docs/configuration/openid/ for more info