Closed
Bug 1387250
Opened 7 years ago
Closed 6 years ago
Use Auth0 SSO on Heroku
Categories
(mozilla.org :: Heroku: Administration, task)
mozilla.org
Heroku: Administration
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1463209
People
(Reporter: emorley, Unassigned)
Details
Filing this in response to the meeting held earlier today. Now that the Mozilla Heroku account is an Enterprise account, we can take advantage of their SSO support to improve security and reduce the burden in bug 1250950. Note: The account doesn't currently use SSO at all, so this doesn't have the same urgency as the okta->auth0 migrations being performed elsewhere. Docs: https://devcenter.heroku.com/articles/using-sso-services-with-heroku https://devcenter.heroku.com/articles/using-single-sign-on-sso-services-with-heroku-for-end-users https://auth0.com/docs/protocols/saml/saml-apps/heroku Things to bear in mind: * Existing Heroku users who: - use @mozilla.com aliases rather than their canonical LDAP address. - use a non-mozilla email addresses (both employees and contractor/volunteer). * Users who have personal Heroku apps, who will need to be told that they may want to move their apps to a separate account. (But note: Heroku doesn't support easy switching between an SSO account and personal account). * Even when a user is removed/disabled in Auth0, their API keys will still be active in Heroku for a period of time after, unless manually deleted there too. Questions to ask Heroku: * Whether enrolment is indeed optional for *existing* users. * Whether *new* users can still be added outside of SSO (eg for contractors). * How long the API keys are valid after the user last signed in (is it the same as the 8 hour session length, or are the user-generated API keys different?) * If there is a dev/stage environment/account that SSO can be tested on first. * Whether the 8 hour session length mentioned in the SSO docs can be overridden.
|
Reporter | |
Comment 1•7 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #0) > But note: Heroku doesn't support easy switching between an SSO account and personal account Ah for the CLI they actually do have this: https://github.com/heroku/heroku-accounts The story for the web dashboard is less ideal however.
|
||
Comment 2•7 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #1) > (In reply to Ed Morley [:emorley] from comment #0) > > But note: Heroku doesn't support easy switching between an SSO account and personal account > > Ah for the CLI they actually do have this: > https://github.com/heroku/heroku-accounts Caution: heroku-accounts plugin caches plain text credentials in ~/.heroku/accounts/ that are not erased by `heroku logout` > The story for the web dashboard is less ideal however. Containers!
|
|
Reporter | |
Comment 3•7 years ago
|
||
(In reply to Hal Wine [:hwine] (use NI) from comment #2) > Caution: heroku-accounts plugin caches plain text credentials in > ~/.heroku/accounts/ > that are not erased by `heroku logout` By plain text, do you mean the same style API tokens that are present in `~/.netrc` (rather than the actual password)? If so, that isn't a regression over the single account implementation. Reg not clearing the cached accounts on `heroku logout` - the docs say to use `heroku accounts:remove ...`, though perhaps it should also be hooked into logout. Perhaps open an issue? https://github.com/heroku/heroku-accounts/issues
|
|
Reporter | |
Comment 4•7 years ago
|
||
s/Reg/Re/
|
|
||
Comment 5•7 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #3) > (In reply to Hal Wine [:hwine] (use NI) from comment #2) > By plain text, do you mean the same style API tokens that are present in > `~/.netrc` (rather than the actual password)? If so, that isn't a regression > over the single account implementation. Yes, and agreed it's not a "regression". And I don't think it's a bug in the extension, as the extension is designed to prefer usability over strict security. I just think users should be aware, once using this extension, 'heroku logout' no longer removes credentials from your machine.
|
|
Reporter | |
Updated•6 years ago
|
|
|
Reporter | |
Comment 7•6 years ago
|
||
Forward duping to the new bug (bug 1463209), since we've ended up with two, and people are using the new one for discussion.
You need to log in
before you can comment on or make changes to this bug.
Description
•