Mozilla’s identity and access management (IAM) initiatives

Introduction

This document describes some of Mozilla’s activities in response to the decommissioning of Persona. It describes the change taking place in many of our web properties. Additionally the document provides a short overview on Mozilla’s broader identity and access management (IAM) initiatives.

Summary (TL;DR)

• Persona will be decommissioned on NOV 30, 2016.
• Our new authentication provider is built with Auth0 at its core.
• All Participation Systems properties (reps.mozilla.org, mozillians.org, moderator.mozilla.org and others) will be using Auth0 moving forward.
• Using this new authentication provider, Mozilla will transition many of its web properties that use Persona today to provide both
  • password-less email login for all profiles on Mozillians.org and
  • LDAP login for staff.
  • Additionally, some web properties will offer select social logins (e.g. Google, GitHub).
• Moving into 2017, Mozillians.org will be fully integrated with Mozilla’s LDAP. This will enable volunteers and paid staff to collaborate using some of the same platforms and tools.

2016-10-14 IAM Packages Visualization v2.png1210×834 340 KB

Persona Replacement (aka IAM Package B)

As previously mentioned on mozilla.dev.identity [Jan 12 2016 and Oct 13 2016], Persona is slated for decommissioning on November 30th, 2016.

Mozilla will not offer a public-facing authentication service like Persona after November 30th. Information for website owners to migrate their sites away from persona.org can be found on the wiki.

Many of Mozilla’s web properties (some of them listed below) will replace Persona with a new authentication provider based on Auth0. This means that Mozillians will be able to authenticate on many Mozilla sites using password-less email login, or select social logins (e.g. Google, GitHub). Staff members can continue to use their LDAP credentials on these sites. This transition includes, but is not limited to: Mozillians.org, Discourse, Moderator, Reps Portal, and Air Mozilla.

For the web properties maintained by the Participation Systems team (Discourse, Moderator, Mozillians.org, Reps Portal) this bucket of work is often referred to as “IAM Package B” and can be tracked on the team’s Kanban board. Package A was a technical proof of concept which successfully ended in September 2016.

Mozillians.org LDAP Integration (aka IAM Package C)

Looking towards 2017 we plan to integrate Mozillians.org with LDAP, to facilitate group management and access control for both paid staff and volunteers. This endeavor is often referred to as “IAM Package C”. Connecting these two systems will allow us to offer a single access management system for all Mozillians, volunteers as well as paid staff. We are still designing this new system and will share additional details in the coming months.

This groundwork will eventually allow us to differentiate collaboration tools’ access levels based on project needs instead of employment status. Think about the ability to provide document access to a hybrid project group of volunteer and staff contributors. This is a natural next step in our work as a radically participatory organization.

Feedback welcome!

This article hopefully provided insight into Mozilla’s currently running and planned activities around identity and access management. We invite you to continue the conversation here.

IAM and using an authentication provider with Auth0 at its core is generally a good idea to move forward.

Unfortunately, due to the decomissioning of Persona, some properties like MDN (developer.mozilla.org) currently only provide social logins now.

Will those properties eventually provide (helped to provide) LDAP and password-less email login, as well?

Hi @sebastianzartner,

totally agree with your view. It is unfortunate that MDN currently only allows Github login. Let me reach out to Kadir to see if he has a view on that an/or if the Participation Systems team can help to change the situation.

Best regards,
Henrik

@r_Up2mI1KfXvmSMPkEfhC6eg:

Thanks for your detailed post on Participation’s auth plans. Auth0 seems like a good fit for your authentication needs.

Kadir forwarded me @sebastianzartner’s question about Auth0 and MDN, and I thought it deserved a response here.

I wrote a long post on our mailing list about capability URLs, an alternative to username-password-cookie authentication, which also goes into the whys of GitHub as an auth provider for MDN:

https://groups.google.com/d/msg/mozilla.dev.mdn/QRK46EnQO-w/QTQOwIb9DgAJ

We announced MDN’s auth plans (GitHub-only) back in July. I started hearing about Auth0 integrations about a month ago, and have had some time to evaluate if it should be part of MDN’s plans. I haven’t seen a compelling reason to integrate it this year.

All MDN content is free to view without an account, so login is not required for almost all users. An account is required to edit and translate, and all new users gets the required permissions on sign-up. Mozilla staff and Mozillians don’t get advanced permissions automatically. There is little benefit to LDAP-backed Auth0 for MDN or its users.

Easy account creation on MDN has disproportionately benefited spammers. We’ve invested a lot of our engineering and staff resources on detecting and removing spam, and banning spam accounts. Auth0 appears to make it easy to create accounts, and would charge MDN for them. Easy account creation is not a compelling feature for MDN.

We are on day 10 of our GitHub-only experiment on MDN. We continue to get a stream of new account signups and high-quality first-time contributions. We’ll be GitHub-only for the rest of 2016, but things can always change in the future. Mozilla will have more experience with authentication alternatives, including Auth0 and Firefox Accounts, and more experience will lead to better designs.

Good luck on your auth transition, and please continue reporting your plans and experience!

Why Auth0? When I look at their website, it sounds like a commercial service provided by a startup (which usually means they could get sold or go bankrupt at any point). Is that a wrong impression? Why is it a better choice than standards like OAuth2 or OpenID Connect?

Hi @KaiRo,

when I joined the team, this decision had already been taken. Please give me a few days to go on a fact finding mission. I hope I can get back to you on this within the next 8-10 days.

Best regards,
Henrik

No problem, I’m generically interested in the reasons for the choice as me and probably some others are facing the same issue of what good options for login are and why. And of course, and Mozilla POV with openness and standards in mind is helpful.

I am assuming till it’s done and communicated across the board to all paid staff and volunteers, persona will keep working for mozillains (since it’s the only form of authentication present)

Yup, it’s a commercial provider. They support a wide variety of authentication and authorization standards/options including openID connect. Like any business (including Mozilla ;-] ) they could be sold, etc. We run a dedicated instance just for Mozilla and have done our standard review of legal, security, financial and operational considerations before implementing.

Persona end of life is November 30th. After that date it will be shut down.

Hence my query was there will be an alternate login system in place before that day. Otherwise there won’t be any way to log in.

Hi @rabimba,

yes, there will be an alternate login. We are currently working on transitioning Mozillians.org to Auth0, enabling passwordless login for all volunteers (and LDAP login for staff).
We expect to run tests on our Staging instance this week. Details of this can be seen in our sprint emails which are also published in this Discourse category.

Please send me a private message at hmitsch@mozilla.com in case you want to see and test the new login on our staging system.

Best regards,
Henrik

Ah… sorry misunderstood. Yes there is a prod instance up. You can see it in action on https://air.mozilla.org/?logged=in

FWIW, Mozilla can’t be sold, as a non-profit foundation cannot be bought by anyone. Mitchell has outlined that a number of times as something very positive, don’t take it away from us.

That said, I of course know that there’s extensive review involved in what Mozilla uses, esp. in an area as critical as this. My question wasn’t trying to be negative but genuine interest of why we made that choice (which I’m not sure was answered so far), given that others are facing similar decisions.

When you say “we run a dedicated instance”, does that imply that their code is completely open or do we have a licensed copy that we run on (virtual) machines that are under our control?

Again, I’m genuinely interested in the backgrounds of the choice here and wonder in what circumstances the same is a good choice for others out there and where the trade-offs are.

They house their open code here:
https://github.com/auth0/

The drivers for the choice were mainly support of OIDC and licensing favorable to allowing us to include community and paid staff in one solution. Hosting choices were made based on price (our own VM in our AWS account being the most expensive, shared VM being the least), support (SLA for bug fixes) and security (adhering to their existing SOC 2 processes).

I’m also quite interested in why Auth0 is being used. In my experience using it I’ve been rather disappointed with the product.

@r_Up2mI1KfXvmSMPkEfhC6eg Did you ever provide @KaiRo the details of why this approach was taken? I would also like this information.

Hi all, I work for Auth0. Happy to answer any questions you might have about our product - seems this is a better medium to discuss than Twitter. We understand openness and transparency are important to Mozilla, and while our product is not open source we would still like to address any specific concerns you might have about Auth0.

You sponsor passport.js though which is super awesome. You could say you’re friends of open source.

Auth0? Really? It’s not a surprising choice from the same stellar IAM team that previously though their “persona” identity system was a good idea. Don’t support open standards… let’s tell everyone to get an Auth0 account… of course! Obviously Mozilla should support OpenID Connect, which is already supported by Google, Microsoft and numerous other domains, and provides a solution for distributed control of identity information (in case people realize that we have enough massive silos of identity information for the NSA to hack).

Sorry, don’t be so harsh, you can say your opinion without attacking people. And even inform yourself before you talk. the IAM team did not create Persona, nor did they end it, and even then Persona tried to create a new open standard for something where there was none (and still isn’t). Also, Auth0 actually supports and uses OpenID Connect. While I may not ultimately be in favor of closed-source solutions personally, for the timeframe and the dire landscape out there, this was and is probably a decent choice for this initiative. You uninformed and personal attack is unwarranted, please be gentle and adhere to the Mozilla Participation Guidelines.
And please give the team that has to make those decisions some love. It’s awesome that they are open about what they are choosing and doing in their paid job (are you doing the same?) and that they are adhering to high security standards and weighing the options available carefully.