| 8 Mar 2024 |
 hexa | In reply to @raitobezarius:matrix.org
what if I send SAML support to Gitea tomorrow? * looks for a simpler feature and do it 😄 | 00:15:44 |
| hexa |
IP Allowlist: Control access to your repositories by specifying approved IP addresses.
| 00:16:03 |
| hexa | that sounds equally silly and simple | 00:16:08 |
 raitobezarius | https://github.com/go-gitea/gitea/pull/29403 I have a better answer | 16:46:49 |
| raitobezarius | Yes and it's the one used in Gitea Enterprise | 16:46:57 |
| hexa |
Yes, CommitGo is using this PR.
| 16:50:12 |
| hexa | lol | 16:50:13 |
| hexa | at least they're using their enterprise customers as guinea pigs ig | 16:50:36 |
 adamcstephens | So maybe they will accept them? Though if they have the patches privately it feels wrong that others may have to recreate the functionality. (Seems not to be this case) | 17:08:21 |
| hexa | anyway, who cares about SAML? Nobody. | 17:11:08 |
| raitobezarius | i want to roast you but i will prevent myself | 17:11:28 |
| raitobezarius | yes not everyone does not do authentication over an authorization RFC | 17:11:38 |
| hexa | universities do | 17:11:41 |
| raitobezarius | i much prefer saml to oauth2 | 17:12:01 |
| raitobezarius | * i much prefer saml to oauth2/oidc | 17:12:06 |
| hexa | lol what | 17:12:14 |
| hexa | https://joonas.fi/2021/08/saml-is-insecure-by-design/ | 17:12:24 |
| hexa | https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5 | 17:13:08 |
| hexa | https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 | 17:13:22 |
| hexa |
We should always guide people to use oauth2/oidc first, and then LDAP app passwords second, with SAML as an absolute last resort. If we end up in that situation, we may need to add it.
https://github.com/kanidm/kanidm/issues/2025#issue-1866005716
| 17:20:09 |
| hexa | don't trust me, trust firstyear 😄 | 17:20:14 |
| raitobezarius | i don't really do this sort of things, sorry | 17:59:12 |
| raitobezarius | In reply to @hexa:lossy.network
https://joonas.fi/2021/08/saml-is-insecure-by-design/ the link you mentioned conclude to the same thing though | 18:00:05 |
| raitobezarius | oauth2 is not an alternative | 18:00:08 |
| raitobezarius | so sure, i can just not use saml and use something that has not been built for authentication | 18:00:24 |
| raitobezarius | but yes I am very much well aware of all the XML malleability issues... :^). | 18:00:57 |
| raitobezarius | that doesn't change the fact there's no alternative to SAML and there's a sensible path to SAML implementation | 18:01:12 |
| raitobezarius | so maybe firstyear will expand his section on why SAML is bad and I hope it's not because people in the enterprise ecosystem doesn't know how to do canonical document formats | 18:02:01 |
| raitobezarius | because, if that's the argument, I hope people applies it to their own software. | 18:02:25 |
| 9 Mar 2024 |
| hexa | In reply to @raitobezarius:matrix.org
oauth2 is not an alternative right, saml is a concept that separate identity and service providers quite neatly, but why would you rule out oauth2? | 01:35:25 |
