SSO / oidc support

[parisni]

Not sure the feature already exists thanks to django framework server

[lfuerderer]

There is a core problem with SSO.

When using password authentication, the encryption key is derived from the password.
With SSO, I see no sensible way to derive an encryption key.

Maybe you have an idea how to solve this problem, otherwise I think SSO is just infeasible for EteSync.

[parisni]

No strong confidence on the below naive approach, happy to have your thought

1. Map the password to a given attribute in the SSO payload, let's say now encryption derive from etesync_key attribute managed by the provider
2. On the provider side, encrypt/decrypt etesync_key with the user password, and pass it to etesync as a payload. Sounds like possible w/ keyckoak

This means on etesync side there is no complexity, the risky part is delegated to the provider.

[tasn]

You can do SSO for the user provisioning and authentication (I'm pretty sure we support SAML already? Not sure) though the encryption key will have to be separate.

The main problem though is that we would need to also implement this across all of the clients, and I think the added benefit is minimal.