From 01facf0167b4d1033c6af20ba98874757dbc46e5 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@robocracy.org>
Date: Mon, 7 Jan 2019 17:49:02 -0800
Subject: basic IA XAuth notes

---
 notes/auth.md | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/notes/auth.md b/notes/auth.md
index b73ce343..ea249cf7 100644
--- a/notes/auth.md
+++ b/notes/auth.md
@@ -148,6 +148,20 @@ The `auth_oidc` enforces uniqueness on accounts in a few ways:
   accounts using the same remote account
 - all fields are NOT NULL
 
+### archive.org "XAuth" Login
+
+The internet archive has it's own bespoke internal API for authentication
+between services. Internal (non-public) documentation link:
+
+    https://git.archive.org/ia/petabox/blob/master/www/sf/services/xauthn/README.md
+
+Fatcat implements "passthrough" authentication to this endpoint by accepting
+email/password (in plaintext! red lights and sirens!) and passes them through,
+along with with special staff-level authentication keys, to authenticate and
+fetch user info. Fatcat then pretends this was a regular OAuth/OIDC
+interaction, substituting the archive.org user "itemname" as a persistent
+identifier, and the XAuth endpoint as the service key.
+
 ## Role-Based Authentication (RBAC)
 
 Current acknowledge roles:
@@ -177,11 +191,8 @@ Tokens and other secrets can be store in environment variables, scripts, or
 
 Want to support more OAuth/OIDC endpoints:
 
-- archive.org: bespoke "XAuth" thing; would be reasonable to hack in support.
-  use user itemname as persistent 'sub' field
 - orcid.org: supports OIDC
 - wikipedia/wikimedia: OAuth; https://github.com/valhallasw/flask-mwoauth
-- additional 
 
 Additional macaroon caveats:
 
-- 
cgit v1.2.3