| 20 Jun 2025 |
 hexa (signing key rotation when) | we can absolute tie oidc in with github teams | 20:23:36 |
| hexa (signing key rotation when) | we are already doing that for infra | 20:23:44 |
 infinisil | Freescout supports OIDC? | 20:24:07 |
| hexa (signing key rotation when) | https://freescout.net/module/oauth-login/ | 20:24:22 |
| infinisil | I see no mention of OIDC | 20:24:36 |
| infinisil | I don't really know OIDC though, so tell me if I'm wrong π
| 20:25:17 |
| hexa (signing key rotation when) | you are very likely wrong π | 20:25:33 |
| hexa (signing key rotation when) | https://github.com/dexidp/dex#connectors | 20:25:40 |
 emily | OIDC is based on top of OAuth | 20:25:47 |
| infinisil | I see! | 20:26:12 |
| emily | (but I don't know if the OIDC identity layer on top is relevant to any of the considerations here) | 20:26:25 |
| emily | (it looks kind of like they're just using OAuth as an imprecise term for OIDC actually) | 20:27:21 |
| hexa (signing key rotation when) | the question is just if the plugin can map groups | 20:27:24 |
| hexa (signing key rotation when) |
Keep in mind that this is the general OAuth authentication plugin and it will not allow to adjust users access based on userβs GitHub organization.
| 20:28:22 |
| infinisil | I don't think it makes sense to insist on OIDC now when we haven't done that for the mailing list in the past. The moderation team email is working in freescout, I just need to onboard everybody who got mails forwarded to their personal email before | 20:28:24 |
| hexa (signing key rotation when) | ah, that is what freescout says themselves | 20:28:27 |
| hexa (signing key rotation when) | but that is more likely a limitation they have | 20:28:34 |
| hexa (signing key rotation when) | I absolutely dislike passing emails around in principle, but here we go | 20:29:28 |
| hexa (signing key rotation when) | * I absolutely dislike passing email addresses around in principle, but here we go | 20:29:45 |
| infinisil | Thanks! | 20:30:33 |
| infinisil | What I'd like to see in the future is everybody having a <githubUser>@member.nixos.org email address, with some criteria for getting one of those | 20:31:00 |
| hexa (signing key rotation when) | we should really roll our own IDM before we go for such a thing | 20:32:12 |
 Emma [it/its] | so, i change my github username, what now? | 20:33:32 |
| infinisil | I guess we would want to alias then | 20:34:03 |
| infinisil | <githubId>@member.nixos.org is more stable but less usable :P | 20:34:31 |
| Emma [it/its] | and even then, in the end i'd just end up never reading those emails most likely lol | 20:35:17 |
| Emma [it/its] | if it forwards to my regular email, sure | 20:35:39 |
| emily | email provider isn't a fun game to be in, you end up in the critical path of people's accounts etc. | 20:36:41 |
| emily | and people expect addresses to live forever | 20:36:48 |
| hexa (signing key rotation when) | though this one only needs to last as long as the project is alive π | 20:37:17 |
