1283138 - Deprecate Persona and provide information to client about alternative methods to login to BMO

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: General, defect, P1)

Description

[Gene Wood [:gene]]

Continued from https://bugzilla.mozilla.org/show_bug.cgi?id=1223236#c7

:dylan,

Hi, I'm part of the Mozilla Enterprise Information Security team (previously called Opsec) and the previous devops engineer for Persona. In advance of the shutdown of Persona on November 30th[1], I was hoping to both find out what was planned, in regards to authentication, as well as offer up assistance and alternatives if needed.

Firstly, I'm hoping to communicate with either the developer/development team capable of modifying the authentication code for the site or the manager responsible for the site. If I've made this request to the wrong person, please let me know, and feel free to ignore the questions below. If you happen to know who the right person is and can share that with me even better.

If you'd prefer to just have a short discussion over Vidyo instead of writing a response, that's totally fine, either say so and I'll set it up or send a calendar invite to me to chat.

* It sounds like in Bug 1223236 the plan is to simply remove Persona as a login option. Is this the case? How will existing Persona users login after the option is removed?
* Is there a timetable and resources to complete the development of the change before November 30th?
* Since your currently using Persona for auth I'm assuming that bugzilla doesn't have access to metadata about users stored in LDAP (e.g. first and last name) or access to LDAP group information of users (e.g. what Mozilla team they're in). Would bugzilla benefit from this type of information if it were available in the new auth solution?


[1]: https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
[2]: http://identity.mozilla.com/post/27122712140/new-feature-adding-your-websites-name-and-logo

Comment 1

[Dylan Hardison [:dylan] (he/him)]

I was just thinking about this. 

First thing -- if Persona were to go away at this instant it would only have a minor effect on BMO users.

Bugzilla does not have different types of accounts, only different types of authenticators. Any Persona-using account
can perform a "forgot password" request and have a password. Users with passwords can use persona still. 

Meanwhile, we also support GitHub for authentication. Were I not a "no-external-auth" user, I could login with either my password, Persona, or GitHub (currently). 

I think the best migration strategy would be to replace the login with Persona button with a link to a page that explains
options the user now has for logging in:

 a) create or reset password
 b) login with GitHub.

We were also thinking of adding support for Firefox Accounts, but those are actually less useful than GitHub because they only
allow one email address.

As for the LDAP / groups stuff, that is something we should discuss in another bug. I know the idea using okta for employees has been floated...

Comment 2

[David Lawrence [:dkl]]

Attachment: 1283138_1.patch

Comment 3

[Dylan Hardison [:dylan] (he/him)]

Comment on attachment 8773943 [details] [diff] [review]
1283138_1.patch

Review of attachment 8773943 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

Apparently bz dev manager wasn't applying my params_bmo because is_bmo() broke after the migration to github. ugh.

Comment 4

[Ryan Kelly [:rfkelly]]

IIUC this is all done and dusted and Persona is no longer an option on BMO.  Closing this bug out, thanks all!