Access control

[Thechi2000]

I was thinking about how we could deal with access control (e.g. for news creation, later on forms, etc.).

Imo the best option would be to use a group based access control. We could have this as an separated service, to ease its use by other ones. This service would just hold the groups and rights, leaving to the client services the authentication part (which could go through Tequila)

[Robb-Fr]

Yes this would work well. I guess strapi has some built in accounts and access control model ? We could use this at first and eventually bind it to Tequila later ?

[codeofmochi]

Good point! I have thought about this and I think we need to distinguish 2 use cases:

• Authenticating to the admin panel (to edit news, sponsors, etc. i.e. website content managed through the CMS UI): it seems that Strapi uses passportjs under the hood. The good news is that a bunch of strategies are available, including one for Tequila (https://gitlab.com/epfl-sti/passport-tequila). The bad news is that it seems that Strapi has put single sign-on (SSO) behind a paywall (https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/sso.html#accessing-the-configuration). As @Robb-Fr mentioned, I think we'll use the default Strapi accounts for now, and we should investigate whether integrating the Tequila SSO is at all possible, and see if it's any difficult later. Strapi uses the admin panel accounts to also attribute roles, permissions and authorships, so I don't think we can circumvent it easily.

• Authenticating end users such as students, faculty members, etc. in the front-end (e.g. to access EPFL-protected resources, to verify that a user is an EPFL member, etc. in the business logic for the online services that we provide): this is not an issue. We'll probably use the aforementioned passport-tequila library within our NextJS stack, or run a standalone service.

[Thechi2000]

I'm mainly thinking about the content managers. As we are approaching the completion of reuform, I think that having a centralized AC management could be very useful, and it would allow to build other services relying on it.

For the end-users, Tequila should be enough

[codeofmochi]

I agree with the sentiment, though as @Robb-Fr said it will be hard to unify with Strapi's model, as SSO is not available in the community edition. If we could use Strapi's SSO, we could delegate the auth to such a centralized identity provider. I haven't found any workaround yet but I'll be happy to integrate a working solution if we can make something clean and secure 👍

[Robb-Fr]

Isn't content management done through Strapi? That's why I think AC for content clearly depends on what we can do with Strapi, it's not up to us to develop this

[Thechi2000]

I've done a bit of digging, and I found the Ory ecosystem. We could only use keto and oathkeeper, as the account management (kratos) and login (hydra) are done by Tequila