Login with Keycloak

[bergwiesel]

A login/authentication with Keycloak should be implemented. Most universities use some kind of central identity management, which is/can be accessed via OpenID Connect, OAuth 2.0, and SAML. Shibboleth has been replaced by Keycloak at our university and seems to be a new kind of standard for secure protocols and authentication.
Furthermore, as admin user it should then be possible to define default rights for new users and like today to change/add rights to specific studies. Thus if a new user login for the first time via Keycloak he could f.e. create new studies right away, but I would need to grant access to an existing study/data.

[JodliDev]

Thank you for your suggestion. But in order to implement such a feature, major changes would have to be made.

The core idea of ESMira was, that research departments can easily setup their own ESMira server and share it internally with fellow scientists. It was never meant as a tool that is used by a large number of accounts. Most design choices of ESMira depend on the assumption that it is not used by "too many" accounts (for example public studies would easily become cluttered and the chances of multiple studies using the same access key by accident would increase). Also, most lists are not using lazy loading because they are assumed to have a manageable amount of entries so that would have to be changed as well.

Then there is also the login system in itself. At the moment, all accounts are saved in only a few permission files. If we want to be able to accommodate an unknown (/large) number of accounts (that can also be created automatically), the data file structure for logins and permissions would have to be changed and many login routines would have to be rewritten or ESMira would eventually suffer performance issues if too many accounts were created (e.g. most permissions are saved in a single file. So are the user accounts - this only works if we can assume that the number of accounts stays below a tolerable level).

The current design naturally limits the amount of accounts by forcing accounts to be created manually. By having an automatic account creation system, this would not be the case any more and will eventually lead to problems.

I agree that the current account creation system is very rough. A big improvement would be a system where people can be sent a link and can then create a password on their own device - that should not be too difficult (but I am unsure when we will focus on that).

But I fear that OAuth (or similar) does not have many advantages for us and we would have to spend a significant amount of energy for its implementation instead of adding other features.
I am always happy to give pointers if someone wants to create a Pull Request for such a feature, but we dont really have the resources for such an endeavour.