Auth methods chat
Hi friends, I just asked this in the Infrastructure Weekly meeting, but I'll open it up to everyone:We (in #collect-information-from-users) are considering what future authentication options gov.uk publishers would use to set up and retrieve data using our Hypothetical Form Builder. Google auth is just for GDS, PAAS auth is just for paas - what method or methods would be best for us to support? (edited)
50 replies
the "users" here are service team users, correct?
Tris Oaten
these people, I think?
Tris Oaten
Sounds similar to the PaaS team's investigation into authentication a while ago.The conclusion back then was if you support single sign on from Google and Microsoft, you will have covered the majority of departmental users. And your users don't have to worry so much about offboarding, because they're using their corporate identities.
If you're looking at people who already publish content to GOV.UK though, there's the signon app. Which is not without its flaws, but has the big advantage that people already have accounts.
oh that's great thank you Rich
we're currently scoping only to govuk
I'm not familiar with the publishing setup, will all publishers certainly have signon creds?
Always use GovUK Sign-in … Just sayin’
@richard.towers what are the flaws we should be wary of?
Everyone has to use MFA, and we only support TOTP. This annoys some users who can't use apps on phones.But all publishers who use Whitehall will have accounts already, so they won't blame you for that.
@jamie.maynard do you have a link to sign-in docs, for implementation investigation? Is it oauth etc?
@alex.wilson @kerr.rainey Are probably better people to ask
I believe its OIDC under the hood but you’d need some sort of authorised user management as well… Or any citizen could use your service… but in principle we have the principle of “one login for government” maybe that should translate to services for Civil Servants as well just as a thought
also, I'm fuzzy about the difference between Sign-In and Sign-On
SO is for civil servants?
Sign on is for civil servants who need to interact with gov.uk publishing.Sign in is the digital identity single sign on (
What Richard said
neat! Are we planning on using sign-in for everything, eventually? with like an "admin" flag for civil servants?
I don’t think its been thought of in those terms yet… Although I can’t see why it couldn’t be at some point
who should I talk to about hat? (edited)
Ultimately Sign-in provides an identity like any id federation its down to your system to determine what that Identity can do
There's no plan that I've heard of to use sign-in for gov.uk publishing (although I wouldn't necessarily object).The admin flag you talk about starts to stray from authentication into authorisation, which should probably be solved by a separate system.
Currently sign-on solves both authentication and authorisation (e.g. can this person update HMRC content? can they update the prime minister's page? etc.). But it doesn't do a great job of either, tbh.
I understand we (plan to?) use GOV.UK sign-in as the auth system for service teams to self-serve their stuff. I'm not that close to this area though so I'm a bit hazy on the details.
From a technical pov GOV.UK Sign In can be used as a standard OIDC provider.
The product focus for DI is definitely end users and not service team users, but that doesn't mean that service team users couldn't use it
be nice to unify everything though, right?
yes, but priorities. DI already has a gazillion things to do
oh of course, I wasn't imagining any extra work for DI
Similarly GOV.UK - we've got a mostly working authentication solution right now, with limited benefit to replacing it. So expect the status quo to reign
If the principle is one login for government then part of me thinks we should be able to consume those identities and use that… As I said… Authorisation is a separate system from ID
currently I'm thinking we'll support multiple auth methods - hedge our bets on who "wins"
Authentication. Authorisation is someone else's problem
Jamie Maynard
One authentication feature that departments want is to use their corporate (gsuite / microsoft360) account to access services. That reduces the amount of creds their staff have to use, improves their ability to manage access centrally, and makes joiners / leavers processes simpler.I strongly doubt that DI will want to look at that aspect of authentication any time soon, because it doesn't make nearly as much sense for members of the public.It's possible (but unlikley) that sign-on might be interested in adding that feature though.
But DI is just another identity provider like Google work spaces and Microsoft AD… If you fill in the authorisation piece of the puzzle for one you solve it for all three
Yeah, I think we agree that authorisation is a problem to be solved separately
@kerr.rainey Does the ID provided by gov.uk sign-on provide an e-mail address with in it?
Yes.
FWIW - GOV.UK Publishing are thinking a bit about improving our authorisation situation. At the moment we have to write a lot of code to model who-has-access-to-what. We think we can probably do better.Eventually #collect-information-from-users will run into the same authorisation problems we have. Might be worth a conversation there so we don't solve the same problem twice.
Awesome!
But you can't revoke that account. Once it is set up, it's just the "username". There is no ongoing verification that the user still has access to that email.
No so good… oh do we provide the ability to change e-mail addresses on sign-on ids?
yes, or at least we will. (edited)