Defining a User

[darkcrux]

Currently we're just supporting github and any user with proper github creds can create pipelines for repositories they have admin access to. There's barely a user profile.

When we start supporting other SCMs, a user profile might be useful. There might be a case when a user has repositories in both Github and BitBucket and wants to create pipelines for both.

A redesign of how the users are handled may be needed. Right now, if we support multiple SCMs, the user will have to relogin with the OAuth for github/bitbucket/etc to access their repositories. Might not be a good user experience.

[hunter]

I would imagine similar issues if there was no repo added and all tests were triggered from docker reg webhooks.

Might be worth looking closer at k8s users and the ThirdPartyResource?

[darkcrux]

An idea of a user profile might look like this:

kontinuous:
  users:
    - {uuid}
        - name: username, taken from sub of jwt or github/bitbucket ID?
          keys:
            github: _encrypted_github_key_
            bitbucket: _encrypted_bitbucket_key_

then an identities map to search for user profiles upon logging in:

kontinuous:
  identities:
    github:
      - {github_id}: {user_uuid}
    bitbucket:
      - {bitbucket_id}: {user_uuid}
    etc:
      - ???

the idea is that a user could have several identities (github, bitbucket, etc). the identities table maps the identity provided by github/bitbucket/auth0/etc to a user profile. This way we can have a user access their github & bitbucket repository as long as they link them to the profile.

we could have the ff login endpoints:

• /login/github
• /login/bitbucket
• etc

For Auth0 and other providers, they can already return a JWT with identities given, so it's just a matter of creating the user profile and identity mapping.

Auth flow will be similar to what we have now with a minor addition:

[github/bitbucket/etc starts here]

1. user redirects to github/bitbucket then sends auth code to /login/{github,bitbucket}
2. kontinuous retrieves token from either github/bitbucket
3. kontinuous creates JWT with github/bitbucket identities added

[auth0, etc starts here]

1. with a valid JWT, kontinuous searches the identities for matching user profile
2. if profile is not found: create the user profile and mapping in the identities
3. update JWT with the user profile (without the keys), just the UUID
4. return the JWT. A valid JWT should have the user profile UUID

[hunter]

Nice. I think my only initial comment is that rather than using uuid for user we use the same convention as ABAC with user

[darkcrux]

related:

for web login via github, bitbucket, etc:

for oidc login, eg. auth0:

ps. mermaid-cli is sooo cool.

[darkcrux]

a few things to note about user and authentication:

1. need a way to add identities to an existing user (eg. user uses github login, a new user gets created with a github identity and able to access his github repositories. there should be a way to add bitbucket credentials to the existing user to be able to access bitbucket repositories, etc)
2. support linking/merging of users? (eg. user uses github login, a new user is created. same user uses bitbucket login, a new user is also created. should there be a way to merge these two as a single user? or is it too complicated? should an email address be used to identify existing users?)

[darkcrux]

login auth and user now follow this pattern. it should be easier to add new login now (bitbucket)