| 20 Jun 2025 |
 hexa | ^ | 20:22:06 |
| hexa | for that exact reason | 20:22:10 |
| hexa | this should not have gone into production without proper login infrastructure | 20:22:22 |
 infinisil | That doesn't work either way | 20:22:28 |
| hexa | why not? | 20:22:38 |
| infinisil | hexa (signing key rotation when): I added it in https://github.com/NixOS/infra/issues/700#issue-3098140041 | 20:23:15 |
| hexa | https://github.com/NixOS/infra/blob/main/build/pluto/prometheus/alertmanager.nix#L79-L84 | 20:23:28 |
| hexa | we can absolute tie oidc in with github teams | 20:23:36 |
| hexa | we are already doing that for infra | 20:23:44 |
| infinisil | Freescout supports OIDC? | 20:24:07 |
| hexa | https://freescout.net/module/oauth-login/ | 20:24:22 |
| infinisil | I see no mention of OIDC | 20:24:36 |
| infinisil | I don't really know OIDC though, so tell me if I'm wrong ๐
| 20:25:17 |
| hexa | you are very likely wrong ๐ | 20:25:33 |
| hexa | https://github.com/dexidp/dex#connectors | 20:25:40 |
 emily | OIDC is based on top of OAuth | 20:25:47 |
| infinisil | I see! | 20:26:12 |
| emily | (but I don't know if the OIDC identity layer on top is relevant to any of the considerations here) | 20:26:25 |
| emily | (it looks kind of like they're just using OAuth as an imprecise term for OIDC actually) | 20:27:21 |
| hexa | the question is just if the plugin can map groups | 20:27:24 |
| hexa |
Keep in mind that this is the general OAuth authentication plugin and it will not allow to adjust users access based on userโs GitHub organization.
| 20:28:22 |
| infinisil | I don't think it makes sense to insist on OIDC now when we haven't done that for the mailing list in the past. The moderation team email is working in freescout, I just need to onboard everybody who got mails forwarded to their personal email before | 20:28:24 |
| hexa | ah, that is what freescout says themselves | 20:28:27 |
| hexa | but that is more likely a limitation they have | 20:28:34 |
| hexa | I absolutely dislike passing emails around in principle, but here we go | 20:29:28 |
| hexa | * I absolutely dislike passing email addresses around in principle, but here we go | 20:29:45 |
| infinisil | Thanks! | 20:30:33 |
| infinisil | What I'd like to see in the future is everybody having a <githubUser>@member.nixos.org email address, with some criteria for getting one of those | 20:31:00 |
| hexa | we should really roll our own IDM before we go for such a thing | 20:32:12 |
 @emma:rory.gay | so, i change my github username, what now? | 20:33:32 |
