Problem/Motivation

Drupal.org needs to update past Drupal 7. There will be a transition time when we have both D7 & D9+ sites. These need single sign on (SSO) with each other. Our SSO solution for D7 & earlier is a Drupal module called Bakery. Instead of updating & continuing to maintain Bakery, the Drupal Association has chosen to use a 3rd-party service for login & SSO, KeyCloak.

In addition to SSO, KeyCloak will be used to enable social sign on. This will make starting to contribute to Drupal a little easier, replacing the need to make a new login just for Drupal.org.

The codebases for our Keycloak extensions and migration are at https://gitlab.com/drupal-infrastructure/sso

Proposed resolution

Our KeyCloak instance will be hosted by a 3rd party. In general, we’ll do an incremental migration, test thoroughly, and eventually switch to it as the way to log into Drupal.org.

Remaining tasks

Will be organized in child issues.

User interface changes

KeyCloak will render & host login and related pages. Some tasks, like changing your password, will be done on KeyCloak instead of Drupal.

Data model changes

User accounts will remain as-is.

Comments

drumm created an issue. See original summary.

fgm’s picture

fgm
Primary language French
Location Paris, France
commented

Since Keycloak will be hosted by a third party, doesn't that affect our GDPR profile (and equivalents like APPI, PIPA, PIPEDA...) ?

hestenet’s picture

hestenet
He/Him
Location Portland, OR 🇺🇸
commented

@fgm - yes, we have a Data Processor agreement with Cloud-IAM - and will have all the appropriate disclosures updated in the privacy policy and terms as required by law. That was an important issue in selecting the vendor, and as a French company Cloud IAM felt like a better choice than some other alternatives in non-GDPR countries who 'claim' gdpr compliance.

fgm’s picture

fgm
Primary language French
Location Paris, France
commented

Thanks for the confirmation. And congratulations on choosing a french solution :-)

hestenet’s picture

hestenet
He/Him
Location Portland, OR 🇺🇸
commented

@sanduhrs and I are talking at DrupalCon Lille Contribution Day about using the Keycloak end-point to support the localization client.

Added a child issue: #3338978: Replace Bakery with KeyCloak SSO & social sign on

drumm credited marvil07.

drumm’s picture

drumm
he/him
Location NY, US
commented
Issue summary: View changes
Status: Active » Needs review

This has been moving forward. A production migration has completed in the background and we are fixing the edge cases & validating functionality. This can likely move forward in the next few weeks.

The codebases for our Keycloak extensions and migration are now available at https://gitlab.com/drupal-infrastructure/sso

drumm credited heddn.

drumm’s picture

drumm
he/him
Location NY, US
commented

(updating credit again)