migrate from Keycloak to Dex

#287
Opened by flokli at 2023-07-20T10·12+00

It seems Keycloak GitHub login still is broken (b/201), and keycloak itself is a bit of a pain to manage.

It recently (?) started to allow signups without an IdP.

We should probably replace Keycloak with Dex. Some care needs to be taken to ensure the same uids are returned to applications, so we keep the same Gerrit accounts etc.

  1. We currently still need a SAML endpoint to provide SSO login to Buildkite (as Buildkite doesn't seem to support SSO over generic OIDC yet (?)). I sent an email to their support, to check if I'm just missing it. They support Login with GitHub, which is just a specific OIDC provider, so supporting other OIDCs shouldn't be too much work.

    In any case, even if we need to support authenticating via SAML for them, we could possibly degrade Keycloak to just be that SAML endpoint, offloading all authentication work to Dex, and point all OIDC-compatible applications to Dex directly, causing most login issues to be gone.

    flokli at 2023-08-21T10·52+00