Alternatives to Github for Authentication

Hi,
I’ve been encouraged on the IRC channel to open a discussion here.

An official announcement has been made today that Microsoft will be acquiring Github within the year. As a consequence, some Mozillians might become suspicious towards Github. Moreover, it might seem unconsistent that one is required to use a Microsoft property to sign in to Mozilla services.

So I suggest we discuss about the possibility to provide more authentication methods.

PS: I’m not native English, please excuse my tendency to make overly complex sentences

A very topical question! Did you have an alternative in mind?

There is much work progressing via Participation Systems which has been integrating a number of approaches to identity access management the last year. It’s my view, that Github was one of the first of these as we could use Oauth and hardware 2FA devices like Yubikeys. Solved a lot of issues quickly. We could not have known about Microsoft’s inention for this acquisition, and I do not currently know Mozilla’s official position on this.

Please understand that ParSys team is busy rolling out a number of alternatives in an IAM roadmap. Things like: staff and volunteer contact information is merging into the one tool, and integrating a more useful Firefox accounts identity. I asked about 2FA/U2F in bug 1464888 specifically in the Firefox Accounts so we had other options than Github.

Actually no. I would have suggested that Mozilla use its own auth provider, but there was Persona before and it’s been discontinued. I don’t know the reasons but I guess they must have been good reasons.

This would be great! I have a Yubikey too and I don’t find many opportunities to use it.

Thanks for starting the discussion here. We also discussed it briefly in our dev meeting earlier today. At this point we have no plans to integrate other authentication systems. It’s not clear that the added overhead and complexity stands in any relation to the perceived benefit. It’ also partially motivated by our integration with Github that we’d like to explore further this year and next. Adding other authentication methods would make that more complicated, so we’d need a compelling reason to still pursue that.

The issue comes up from the microsoft acquiring github.

Currently, there are only one way to login to MDN web docs, that is github. So if anyone wants to contribute to MDN, they must accept the privacy policy of mozilla as well as github. People are comfortable with mozilla, but after microsoft acquisition, many person do not comfortable to share their data with github. So that will be a berrier for them to contribute in MDN.
Moreover, a good issue comes from the IRC that, if anyone wants to delete his github account, the only one thing that will prevent him is MDN web docs. because if he delete his github account, he can no longer contribute to MDN web docs.

I understand that adding another authentication method maybe complicated. But we should consider it in the near future. Maybe Firefox account is well suited with our needs?

GitHub’s privacy policy has not changed with this announcement. (Though I think it recently changed as part of the GDPR wave.) You can be sure that Mozilla will be watching any future privacy policy changes closely, as there are many Mozilla projects that use GitHub. There are reasons to consider having another authentication provider, and avoiding a single point of failure is one of them. But “Microsoft is the bogeyman” is not.

I personally agree that we need another authentication method than GitHub. Not because of the Microsoft acquisition, but because there are non-developers who historically have done some contributing to MDN and requiring them to have a GitHub account may be prohibitive toward their contribution. I am hopeful that Firefox accounts will reach a point where we could use that as another login method for MDN).

Sheppy

Updating with today’s announcement from IAM: Announcing Firefox Accounts in Mozilla IAM (cross post) I’ve added a plea for integration in that thread

Github was down today for about 1 hour. I strongly believe we should consider having a fallback authentication system for MDN.

AFAIK, you should be able to login as long as the email address is identical.

Could you not or did you try?

While it redirected me to the github page, I saw a timeout. So I could not login!

Github is unavailable again and its not possible to log in into MDN!

See bug 1488474, which was spun off from Mozilla IAM and Low Integrity Authentication.

Of course, there are mistakes in their assumptions about MDN in that. Like, we only currently use a PR model for data content, not for prose. That may change going forward, but is not currently true and won’t be for a good while yet at best.

That said, that sounds like an interesting concept.

A compelling reason? How about this:

MS is part of Big Data and dreaded - to put it mildly - by many in the free software world.

MS also feels at liberty to violently change their policies at any time without prior notice and might - like others already do - deplatform their own customers for somewhat less than compelling reasons.

Many free software advocates clearly feel uneasy and uncomfortable with having to accept Microsoft rules (being the only one option) if they want to help out MDN and be at the mercy of a large corporation whose policies in other fields they utterly dislike.

I 100% concur!

There also is OpenID - which has its flaws, of course - but which is being used by Ubuntu-One SSO service.

If Ubuntu can do it, why not Mozilla?

how about the MS “deplatforming policies”? I hear those have changed violently after the takeover.

Indeed! Forcing people to accept Microsoft house-rules is unacceptable - MS being a highly politicized American entity - to many Free-Software advocates.

Mozilla may well lose - or not attract - valuable contributors.

Truth be told, in my todays web-search over the %s URL parameter I found the best content way outside of any Mozilla site. Incidentally, contributors there were not forced to accept Micro$oft rules, which are somewhat incisive, as some have found out much to their chagrin.

I sign into lots of places using my website url. Adding IndieAuth would be a neat feature for MDN.

moz://a should be weened off Micro$oft now.