EE: OpenID Connect
Target release | Q3 2020 |
---|---|
Epic | |
Edition | E20 |
50% |
Document owner | @Dennis Kittrell (Deactivated) |
---|---|
Designer | @Michael Gamble (Deactivated) |
Tech lead | @Scott Bishel |
Technical writers | @Sebastian Faase (Deactivated) |
QA | @Rohitesh Gupta (Deactivated) |
OKR |
|
ProductBoard | |
Design Spec | <pending> |
Technical Spec | |
Test Plan | <pending> |
Objective
OpenID Connect (like SAML) is a federated authentication (sign-up/sign-in) standard.
Open ID Connect sits on top of the OAuth framework (which is used for both Authentication and Authorization)
This feature will enable sign-up/sign-in to mattermost using any OAuth 2.0 provider that adheres to the OpenID Connect specification.
Background
Customers and prospective customers have explicitly asked for OpenID Connect support by name, as well as individual Identity Providers who follow the specification.
Examples:
Mattermost currently supports 3 specific identity providers for SSO via OAuth 2.0 (Google, GitLab & O365) however this implementation does not currently adhere to the OpenID Connect specification. Which means:
Mattermost is unable to to benefit from OpenID Connect formatted ID tokens
New providers require mattermost engineering teams to build
Success metrics
Goal | Metric |
---|---|
|
|
|
|
User Scenarios
Mattermost Admin
I want to sync my users to mattermost with my (currently unsupported) SSO provider, so that they can sign-up and login using those credentials and I won’t have to worry about security issues/password management.
I want to configure my SSO provider by simply providing the link to the standardized OpenID connect discovery document along with the Application ID and Application Secret.
Mattermost member
I want to easily sign-up and login to mattermost with existing organization credentials, so that I do not have to worry about security or pain of managing another set of credentials.
I want a clear sign-up/sign-in button on web, desktop and mobile interfaces.
Assumptions
OpenID Connect support will replace the Oauth 2.0 section of the System Console since we currently only use that section for OAuth authentication (not authorization of access) and all supported OAuth sign-in methods will be supported by OpenID Connect.
Future OAuth integrations will be implemented via plugin and will also be capable of utilizing the authorization/access functionality of OAuth.
Phases & Milestones
Areas Touched
Authentication
System Console UI (Authentication)
Mobile (sign-up/sign-in)
Requirements
Requirement | User Story | Importance | Jira Issue | Mobile Ticket | Notes | |
---|---|---|---|---|---|---|
1 | Rename OAuth 2.0 section of system console to OpenID Connect Providers |
| Medium | N/A |
| |
2 | Redesign/Rebuild Identity Provider form. In addition to choosing from the 3 existing and most popular identity providers, the option of “other” will enable a custom provider that adheres to the OpenID connect specification. |
| HIGH | N/A |
| |
3 | Redesign/Rebuild Identity Provider form to include standard fields for OpenID Connect - including the URL to the discovery document |
| HIGH | N/A |
| |
4 | Add ability to customize text and color of sign-up/sign-in button for each provider (Web/Mobile) |
| Medium | MM-27671: WebApp - Update OAuth Login button to use config settings.Resolved | MM-27671: WebApp - Update OAuth Login button to use config settings.Resolved |
|
5 | GitLab identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect |
| HIGH | MM-27673: Provide migration from OAuth from GitLab, Google, and Office 365Resolved | N/A |
|
6 | Google Apps identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect |
| HIGH | MM-27673: Provide migration from OAuth from GitLab, Google, and Office 365Resolved | N/A |
|
7 | O365 identity provider is currently supported via OAuth 2.0 and current customers using this method will need to be migrated to OpenID Connect |
| HIGH | MM-27673: Provide migration from OAuth from GitLab, Google, and Office 365Resolved | N/A |
|
8 | Telemetry
|
| MEDIUM | N/A |
| |
9 | Google SSO supported on mobile |
|
|
| N/A |
|
10 |
|
|
|
| N/A |
|
Open Questions
Question | Answer | Date Answered |
---|---|---|
Can we work with the HW PR submitter to re-use the google mobile button? |
|
|
Will this work well as a solution for:
|
|
|
Out of Scope for MVP
Multiple OpenID Connect providers enabled at one time
Google sign-in/signup button on mobile