Hi all,
the Redmine developers released version 5.0 some months ago and updating to this version will have some effects on us. So, I would like to open a thread to discuss these issues with you and how we deal with that situation.
Currently, we are on the 4.2 branch and it still gets security and bug fixes, but I can't tell at which point they will stop supporting it.
We enabled the login over OpenID, which is implemented natively and not integrated over a plugin. With version 5.0, support for that was removed. I assume this is due to that the implementation is based on an older OpenID standard and there are not many users of it anymore (TM). The newer standard seems to be called "OpenID Connect", but it's not supported by Redmine.
Also, we are using a plugin which allows the login over a Google account. The compatibility of that plugin breaks with version 5.0.
The problem is that we have users for both and with version 5.0 they won't be able to use these methods anymore.
However, I have an idea for a solution. I took a look at the Redmine database and I played around with the Google login method. My tests showed that it creates a normal user account, as it is done with the registration, just with the little difference that no password is set disabling the login over password. These accounts also have an user name and an email address. As soon as I set a password, I was able to login using the user name.
So, my idea is that we just go with these changes and affected users use the functionality to reset their password, which means they will have a "normal" user account then. In preparation to that version update, we should disable these login methods so that no new users will make use of them.
Other ideas? What's your opinion?
// Felix
I'm not sure if anyone noticed that. So I wanted to push it again.
If nobody has any objections, I will disable the login methods at the end of August.
// Felix
On Thu, 2022-08-04 at 22:26 +0000, Felix Singer wrote:
the Redmine developers released version 5.0 some months ago and updating to this version will have some effects on us. So, I would like to open a thread to discuss these issues with you and how we deal with that situation.
Currently, we are on the 4.2 branch and it still gets security and bug fixes, but I can't tell at which point they will stop supporting it.
We enabled the login over OpenID, which is implemented natively and not integrated over a plugin. With version 5.0, support for that was removed. I assume this is due to that the implementation is based on an older OpenID standard and there are not many users of it anymore (TM). The newer standard seems to be called "OpenID Connect", but it's not supported by Redmine.
Also, we are using a plugin which allows the login over a Google account. The compatibility of that plugin breaks with version 5.0.
The problem is that we have users for both and with version 5.0 they won't be able to use these methods anymore.
However, I have an idea for a solution. I took a look at the Redmine database and I played around with the Google login method. My tests showed that it creates a normal user account, as it is done with the registration, just with the little difference that no password is set disabling the login over password. These accounts also have an user name and an email address. As soon as I set a password, I was able to login using the user name.
So, my idea is that we just go with these changes and affected users use the functionality to reset their password, which means they will have a "normal" user account then. In preparation to that version update, we should disable these login methods so that no new users will make use of them.
Other ideas? What's your opinion?
On Thu, Aug 04, 2022 at 10:26:25PM +0000, Felix Singer wrote:
However, I have an idea for a solution. I took a look at the Redmine database and I played around with the Google login method. My tests showed that it creates a normal user account, as it is done with the registration, just with the little difference that no password is set disabling the login over password. These accounts also have an user name and an email address. As soon as I set a password, I was able to login using the user name.
So, my idea is that we just go with these changes and affected users use the functionality to reset their password, which means they will have a "normal" user account then. In preparation to that version update, we should disable these login methods so that no new users will make use of them.
Other ideas? What's your opinion?
I'm a bit unclear what you are proposing.
I'm also unclear whether, under your proposal, users without Google accounts would be able to register or log in to the Redmine instance.
Please can you clarify?
Thanks,
Sam
On 12.08.22 14:04, Sam Kuper wrote:
On Thu, Aug 04, 2022 at 10:26:25PM +0000, Felix Singer wrote:
However, I have an idea for a solution. I took a look at the Redmine database and I played around with the Google login method. My tests showed that it creates a normal user account, as it is done with the registration, just with the little difference that no password is set disabling the login over password. These accounts also have an user name and an email address. As soon as I set a password, I was able to login using the user name.
So, my idea is that we just go with these changes and affected users use the functionality to reset their password, which means they will have a "normal" user account then. In preparation to that version update, we should disable these login methods so that no new users will make use of them.
Other ideas? What's your opinion?
Felix, I guess you know my opinion already: Whoever maintains the service should decide. If there's already a password database, responsibilities (e.g. to inform everybody in case of a breach) won't change. So it sounds like making password-based logins the only option would reduce chore on your end. And nobody objected, so please go ahead :)
I'm a bit unclear what you are proposing.
I'm also unclear whether, under your proposal, users without Google accounts would be able to register or log in to the Redmine instance.
Please can you clarify?
Currently one can login either with OpenID, a Google account or with a password that is stored on our Redmine host. With the intended changes, everybody will have to use a password.
Nico
On Fri, 2022-08-12 at 18:06 +0200, Nico Huber wrote:
I'm a bit unclear what you are proposing.
I'm also unclear whether, under your proposal, users without Google accounts would be able to register or log in to the Redmine instance.
Please can you clarify?
Currently one can login either with OpenID, a Google account or with a password that is stored on our Redmine host. With the intended changes, everybody will have to use a password.
Exactly.
// Felix
-
Felix Singer -
Nico Huber -
Sam Kuper