We will want to be able to open the API for users external to the toolforge infrastructure.
This task is to investigate current practices and options for us to do authentication in toolforge.
Currently we are doing ssl authentication using the client certificates that were generated for the tools (living in the NFS shared folders).
Some options to investigate are:
* using idp.wmcloud.org
* using wikitech
=== idp.wmcloud.org ===
This uses CAS as the sso server.
Supports:
* oauth
* cas
* openid
* saml
* rest
We are using it to authenticate for several sites already, like https://prometheus-alerts.wmcloud.org/
The data that we get back from the server include the ldap groups in the `memberOf` key:
```
memberOf [cn=tools.sqlchecker,ou=servicegroups,dc=wikimedia,dc=org, cn=tools.wm-lol,ou=servicegroups,dc=wikimedia,dc=org, cn=tools.jobs,ou=servicegroups,dc=wikimedia,dc=org, cn=project-account-creation-assistance,ou=groups,dc=wikimedia,dc=org, cn=project-cloudvirt-canary,ou=groups,dc=wikimedia,dc=org, cn=project-dumps,ou=groups,dc=wikimedia,dc=org, cn=project-wmflabsdotorg,ou=groups,dc=wikimedia,dc=org, cn=tools.toolschecker,ou=servicegroups,dc=wikimedia,dc=org, cn=tools.cloud-ceph-performance-tests,ou=servicegroups, ...
```
=== wikitech ===
TBD