Member Portal V2

This is a project driven by @samp20 to build a new member portal to provide Single-Sign-On (SSO) to other Hackspace services.

The current proposed architecture is a Python Flask application with PostgreSQL as the backend database.

Permissions shall be granted through OAuth scopes or other custom claims. As these claims can sometimes be application specific, a general purpose approach is proposed using Members, Roles and ClaimSets with the following relationships:

• Many-to-many between Members and Roles
• One-to-many between Roles and ClaimSets

A Role describes a high-level role a member has, for example “onboarding”. A ClaimSet describes the specific OAuth claims associated with that role. The reason for separating ClaimSets from Roles is to be able to limit a ClaimSet to a single OAuth client without requiring a member to join multiple Roles if that Role involves multiple clients.

An example ClaimSet for Grafana access to the “viewer” team may look like the following:

{
    "scope": ["openid", "email"],
    "groups": ["viewer"]
}

This ClaimSet would be restricted to the Grafana OAuth client in order to avoid granting the “openid” scope to other clients and inadvertently giving access to them.