Please make sure the username/password (local auth) bits get disabled on teams.fedoraproject.org.
Right now, I would imagine there's been at least some people confused and maybe entered their FAS credentials there.
I believe making teams.fp.o FAS only is 100% acceptable.
@jperrin Can you ask them about this/get us a way to make requests without bothering you?
Metadata Update from @kevin:
- Issue assigned to jperrin
@jperrin I second Kevin's ask, looking at https://pagure.io/fedora-infrastructure/issues?status=all&tags=taiga we have SPOF bottleneck :)
@puiterwijk @bex re. removing local auth, we have https://pagure.io/fedora-infrastructure/issue/8212 where service accounts is requested, will that be possible with FAS ?
I'm from taiga support team.
We could hide username/password field from teams.fedoraproject.org login page. At least, it would be less confusing for the users.
But not sure it is enough: it won't prevent to set a password from the CHANGE PASSWORD page and use it to obtain a token and make calls to the API directly.
If you do need to completely disabled local password authentication we need to give it a second thought.
Can you perhaps hide the username/password on the login page for now, and then investigate disabling local auth completely when you get cycles to implement it?
The configuration toggle that allows to hide login form is now in taiga master branch.
I think it's time to an update on teams.fp.o version.
As of today (2020-01-23), teams.fp.o only allows to login using FAS.
Please note that local auth is not disabled. If an user sets a password, she would be able to obtain an API token using her local password.
I think we could close this issue and discuss the disabling local auth feature in another one.
Metadata Update from @cverna:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
to comment on this ticket.