Third party authentication in Damned Lies

Dear translators, reviewers and GNOME hackers,

EDIT (19:41 UTC+1): this thread is to inform you about the change to come, feel free to express your opinion so that we can adjust this feature before publishing.

We are about to ship a new way to connect to Damned Lies soon (in the next coming weeks). The main consequence is that registration with a password will be permanently removed. - We chose to support 3rd party providers to login to Damned Lies. These providers are Fedora, Launchpad, GNOME SSO, GitHub and Google. The first two were added to the list of the providers other GNOME services use because there are communities of translators coming from these platforms, we want to make it easy for them to contribute to GNOME.

This will make our Infrastructure administrators happy, I guess, because that’s a very long standing feature request. I’d say about 4 years :sweat_smile:. I hope it’ll be worth the wait.

This change will also help us to fight spam. Indeed, we are flooded by tons of bots that register on Damned Lies and that may publish spam on workflows. We expect these 3rd party providers will do better checks than we can.

There are now two different situations when logging-in.

You already have a Damned Lies account

  • 3rd party authentication is based on your email. If you would like to login using GitHub.com for instance, the email in your GitHub profile must match the email given in Damned Lies. In case we don’t find any account with this email, you will have to login using the email and connect the 3rd party providers after being logged-in.

  • Password-based authentication will be disabled, in favor of email authentication. If you still want to use your email to login, you will have to ask for a connection link that will be sent to your inbox.
    • It will no longer be possible to use your password or update it. As a consequence, we will reset all existing passwords to random, in case of a leak passwords will have no value.
    • Changing your email address will be protected: you will have to confirm owning the email address with a link we’ll send to you.

You want to create a new account

  • If the email provided by the 3rd party provider is unknown to Damned Lies, it is either you have an account, but known with a different email (and so, as already said, you’ll have to connect first, then connect the 3rd party authentication providers), or you want to create a new account, as shown below.

After clicking on the Continue and Create a New Account link, you’ll be all set with your new Damned Lies account, ready to join a new translation team!

Changes for the developers

For developpers that uses to add a DOAP file in their projects (which is quite mandatory to be added on Damned Lies), you will have to be carefull with your description file. The email address is now a mandatory information for maintainers. For maintainers that already have a Damned Lies account, there is nothing to do. Only new maintainers (maintainers that do not already have a Damned Lies account) are affected, because we need this email address to automatically create the maintainer account.

More details in the Damned Lies wiki: doap_file_format · Wiki · Infrastructure / damned-lies · GitLab

3 Likes

Just making sure: if I have DL account, I will have to use one of the the service providers to “validate” it?

And asking for curiosity reasons: will it be possible to also add GitLab and Codeberg to this list? In case someone doesn’t have any of the accounts from these providers and doesn’t want to create them just for this

Nope, you can use your email to login, you will receive a connection link directly in your inbox. I am personnaly against forcing users to use providers that are a bit far from the FLOSS philosophy, or backed by big tech companies.

For GitLab, it should be on its way, Codeberg makes sense too. Thanks for your feedback!

1 Like

That is not what we discussed. It was meant to be a recovery mechanism, not a login mechanism.

Please explain yourself.

From this issue on GitLab : Enable 3rd party authentication (#570) · Issues · Infrastructure / damned-lies · GitLab

/password_reset/ is not needed anymore. Instead, we have a similar page for legacy accounts (/legacy_account/?). Instead of resetting password, the email contains a link that lets people log in one time. The button says “Send link”. This is what people with old accounts will use the first time they log in, to connect their account with an OIDC provider.

The only difference resides here: you suggest DL users will only use this link one time and then connect to 3rd party providers. Receiving a login email will be disabled after that for these users.

I don’t see any problem with the current implementation: DL users without any of the identified providers account will not suffer from anything and DL users without an account on these platform will still be able to log in.

Additionnaly, this will have no negative effect on spam. It will not make any difference for new users that will use 3rd party provider accounts. Only already existing users refusing to use 3rd party providers for legitimate reason will still have a way to login to their DL account.

What about existing spam accounts?

It’s worth spending some time to filter them on the admin interface and remove them manually. One we’ve stopped the ability for spammers to register, it’ll be easier to limit spam.