Single Sign On

This is a project driven by @samp20 to build an SSO system for all Hackspace services.

The current proposed high level architecture is a Python Flask application to handle logins with an Ory Hydra frontend to provide the SSO.

There will be a few login flows supported:

• Email “magic link”
• Passkey
• Keyfob/card

Additionally a 2nd factor TOTP can be added if desired.

Password login won't be supported to begin with unless there is a strong demand for it.

Email login will send a “magic link” to your registered email address. When clicked this will log you in to the original page you were on, not the page opened when clicking the link. This will allow you to login on your phone while clicking the email on your desktop for example. This could also work on the Hackspace portal if desired.

This will be a slight change to our current login method, requiring you to enter your email first before scanning your keyfob/card. This is because the keyfobs aren't particularly secure and could be easily cloned. By treating them more like a PIN we can disable keyfob login after so many attempts for that member.

An additional security measure will be required to ensure these keyfob logins only come from the Hackspace network. For now an IP allowlist should be sufficient, along with a global lockout if a significant number of keyfob login attempts are spotted. It is recognised that IP addresses can theoretically be spoofed, but quite difficult in practice. The global lockout would be a nuclear countermeasure in the extremely rare instance someone does figure this out.