Where does one go to learn about how identity.kde.org is currently developed? I did a quick search on the Wiki and didn't find much.

I speak reasonably fluent Python. Got a stack of O'Reilly books next to my chair for light reading. If I can help, I certainly will.

You can find the current sources for Solena at websites/identity-kde-org on KDE Git.
https://phabricator.kde.org/source/websites-identity-kde-org/

Please note that i'd advise against using it as a reference for how a replacement system should be built as many of the requirements outlined above are radically different from what the existing system enforces/provides.

Keeping usernames is fine as long as they are not used as the primary identifier for a user.

Usernames provide some useful flexibility:

• Users can log in with either username or email would make things easier for them.
• Referencing user profiles via url (eg. identity.kde.org/rgb-one)

Please note that as developers have to have a Subversion Username assigned to them, i'd rather not have a concept of usernames on the system (as then you either have two usernames for those developers with Subversion access which will generate confusion there, or have to impose the username-is-based-on-real-name requirement that has caused so many issues on the usernames the user can select)

Using email addresses should be perfectly fine, and public profiles aren't something we'll be pursuing as we won't be collecting the sort of information people might find useful (like Phabricator's activity feed) on the Identity platform.

Ok, so we need a proper industry solution and opensource.

As i discussed yesterday on akademy channel, we should have the ability of allow external accounts registers, like Google, Facebook, Linkedin, Github.
So, the solution goes through OopenID and Oauth2.0

I really think that we should take a look on this, https://www.keycloak.org/

It's fully open source, we can use whatever we want.
The only setback that i saw is the usage of jboss, with demand some resources.
But still, fully open source, and met all our requirements, including creating our own KDE login if someone decide not go bt any social media login.

It provides everything we need AND the federated login from all structures. An example on how easy would be to integrate the Google login button:
https://github.com/metadatacenter/cedar-docs/wiki/Configuring-Keycloak-to-use-Google-Identity-Provider

Feasible or too much ?

Please note that I mentioned the possibility of allowing external providers to be supported through this (under On the subject of login) however I don't consider it mandatory at all as there are elements of the community for whom all of those external services will be completely unacceptable.

In regards to Keycloak specifically, we considered it in the past but dismissed it as a potential option as it would require customisation to fit our needs, and that would still not eliminate the need for usernames (which is a hard requirement as previously stated).

We would also be stuck with some limitations around how data could be managed (any such changes would require substantial invasive changes). To my understanding it also has a requirement that a first and last name be provided, which many users (who only want to use the Forum and maybe Bugzilla) don't want to do.

Usage of an "off the shelf" solution would also prevent us from implementing solutions to some of the issues we currently face around data propagation (see Have support for means to be integrated with other systems) which cause quite a few problems for us.

Systems like Keycloak are intended for usage in a corporate context, where details like names and email addresses rarely (if ever) change, which is in stark contrast to our open source context (where email address can and do change on a fairly regular basis)

@helio You suggested OpenID, which is significantly outdated and unsupported. There is a replacement, with much improved security, called OpenID Connect (it’s based on OAuth2 and has nothing but the name in common with OpenID), so I’d suggest that instead.

Luckily, Keycloak has native support for it.

As previously mentioned, Keycloak is not suitable for our purposes due to the limited customisability it offers in regards to custom fields, along with its hard dependency on usernames in addition to the other issues noted in my earlier comments above.

Some notes after Akademy. I'll expand on these as we move forward:

Application Components

Persistent Layer:

• Legacy (LDAP)
• In-Live (PostgreSQL)

Microservices:

• Identity REST API & OAuth2 Provider
• Rest Client / LDAP Server
• Front-End / REST Client

LDAP Proxy

A large segment of the KDE infrastructure is tightly coupled to identity. In particular, they are integrated to the LDAP interface itself.

To minimise any potential impact of replacing identity throughout our infrastructure, we will be building a lightweight LDAP server that uses a REST api as its backend / data store.

Phased Deployment

• Phase 1: Deploy new API and LDAP Proxy
• Phase 2: Migrate Low-Priority Applicatations
• Phase 3: Deploy new Identity Interface and Oauth2 Provider
• Phase 4: Migrate remaining active users
• Phase 5: Wait for it … Wait for it … Kill OpenLDAP

@tcanabrava - Ben mentioned that you were interested in helping out with this. Are you happy for me to add you to this task?

Yes, put me up

Em sáb, 1 de set de 2018 às 13:01, Kenny Coyle <noreply@phabricator.kde.org>
escreveu:

kcoyle added a subscriber: tcanabrava.
kcoyle added a comment.

@tcanabrava https://phabricator.kde.org/p/tcanabrava/ - Ben mentioned
that you were interested in helping out with this. Are you happy for me to
add you to this task?

*TASK DETAIL*
https://phabricator.kde.org/T8449

*To: *kcoyle
*Cc: *tcanabrava, bport, justJanne, helio, kcoyle, alexeymin, sharvey,
jackyalcine, kfunk, richardbowen, ahmedabouelhamayed, ngraham, joshua,
sagarhani, aspotashev, lydia, bcooksley, sysadmin, Anachronox, skadinna,
ochurlaud, kvermette, scarlettclark

I want be involved as well, in a less capacity, but willing to do some work as well.

[]'s

Awesome.

So it looks like we have a bit of a team together now.

Who would like to take point on building out the initial REST API?

The high-level requirements for this are:

• Simple REST API to expose all user and group information that currently exists in LDAP.
• Superuser credentials that can access and modify all records.
• User credentials per account that can update a users own information.
• RDBMS backend with simple schema.

We can go into more detail and build out tasks once we have a simple API in place.

I'm trying to set up the current system (Solena) in a development environment, but I currently get an error when registering a user:

2019/07/16 20:05:11 [error] [system.db.CDbCommand] CDbCommand::execute() failed: SQLSTATE[HY000]: General error: 1364 Field 'uid' doesn't have a default value. The SQL statement executed was: INSERT INTO `tokens` (`type`, `givenName`, `sn`, `mail`, `token`) VALUES (:yp0, :yp1, :yp2, :yp3, :yp4).
2019/07/16 20:05:11 [error] [exception.CDbException] exception 'CDbException' with message 'CDbCommand failed to execute the SQL statement: SQLSTATE[HY000]: General error: 1364 Field 'uid' doesn't have a default value' in /var/www/html/framework/db/CDbCommand.php:354
Stack trace:
#0 /var/www/html/framework/db/ar/CActiveRecord.php(1014): CDbCommand->execute()
#1 /var/www/html/framework/db/ar/CActiveRecord.php(787): CActiveRecord->insert(NULL)
#2 /var/www/html/protected/controllers/RegistrationController.php(109): CActiveRecord->save()
#3 /var/www/html/framework/web/actions/CInlineAction.php(50): RegistrationController->actionEnterDetails()
#4 /var/www/html/framework/web/CController.php(309): CInlineAction->runWithParams(Array)
#5 /var/www/html/framework/web/filters/CFilterChain.php(134): CController->runAction(Object(CInlineAction))
#6 /var/www/html/framework/web/filters/CFilter.php(41): CFilterChain->run()
#7 /var/www/html/framework/web/CController.php(1146): CFilter->filter(Object(CFilterChain))
#8 /var/www/html/framework/web/filters/CInlineFilter.php(59): CController->filterAccessControl(Object(CFilterChain))
#9 /var/www/html/framework/web/filters/CFilterChain.php(131): CInlineFilter->filter(Object(CFilterChain))
#10 /var/www/html/framework/web/CController.php(292): CFilterChain->run()
#11 /var/www/html/framework/web/CController.php(266): CController->runActionWithFilters(Object(CInlineAction), Array)
#12 /var/www/html/framework/web/CWebApplication.php(276): CController->run('enterDetails')
#13 /var/www/html/framework/web/CWebApplication.php(135): CWebApplication->runController('registration/en...')
#14 /var/www/html/framework/base/CApplication.php(162): CWebApplication->processRequest()
#15 /var/www/html/index.php(13): CApplication->run()
#16 {main}
REQUEST_URI=/index.php?r=registration/enterDetails
HTTP_REFERER=http://localhost:9000/index.php?r=registration/enterDetails

The SQL error is clear: the uid column is marked as NOT NULL (according to protected/data/database-schema.sql), but its value is not given in the INSERT INTO request.

However after reading the PHP source code didn't find no place where uid could be set. May be the sources in Git repo are not in sync with the sources used in production environment for https://identity.kde.org ?

The registration form sends to following params in POST request, uid is not there:

YII_CSRF_TOKEN: c51fbacd4b5c1a2a2ffedbf1a39d8e2fb3fe7616
Token[givenName]: 123
Token[sn]: 213
Token[mail]: 123@g312.com
g-recaptcha-response: 03AOLTBLS32zwVbDyS6-gdW1eeCm5e4xKoMJg-fVT45J6nQWEbsXMYEGm9mezFDZs79OLvor92xG8zIy47UYyx_YNQhnpRuz0e7yGw_tkyG2j7PCigEkrCodbCK2rUndb51eDYI6CJYysMkcWqA0VK7_3MmT_AWK2LfDRLmI8iQwyCHSUguTRpbcSRYXWiTeWJ-GRc_EHh2CZfaaNyf0OAzjXAQVAFNJypFdJqtjlIuOIxH_cnlYbBTT0ziWCMu8EURJaH49-c8lULRVc8rYzncq2xQVwz5BMW8LdR4Gtf0ZoNjEndd1jL-40yk9dMZKQzjO8Ac1d4mUgV
yt0: Register Account

The tokens table is multi-use and is used for doing several different things (registration, adding mutliple email addresses, etc) so the lack of uid in that POST submission is normal.

The correct schema should be:

CREATE TABLE `tokens` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `token` varchar(50) NOT NULL,
  `type` int(1) NOT NULL,
  `mail` varchar(255) NOT NULL DEFAULT '',
  `uid` varchar(255) NOT NULL DEFAULT '',
  `givenName` varchar(255) NOT NULL DEFAULT '',
  `sn` varchar(255) NOT NULL DEFAULT '',
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=75848 DEFAULT CHARSET=utf8

Additionally most applications pre-built support for LDAP is broken, as they copy details like email address to their internal database on first login and don't sync changes made later on. This makes email address updates for users a pain and basically always requires Sysadmin intervention.

@bcooksley , how should this be implemented on top of OAuth2?

Let's say

1. I use identity.kde.org's OAuth2 Provider to create a UserBase wiki account,
2. start "watching" some wiki pages,
3. then go to identity.kde.org and change the default email address,
4. someone edits the watched page, so that UserBase wiki wants to notify me over email about this change. How would it know if my old email address is still valid or it needs to request an update from OAuth2?

In regards to underlying datastore, Postgres is not an option.

Why not PostgreSQL? Because Sysadmin team has little experience with it?

PostgreSQL was disqualified because the majority of KDE servers (all apart from the machine running Gitlab and Mirrorbrain) run using MySQL, and having two database servers running is an inefficient use of system resources. In any event, implementing something like this should not require the use of anything other than simple database queries for which an ORM or equivalent should be able to handle (giving us flexibility to change in the future).

With regards to how details should be updated, there are two possibilities:

1. Have sites update local profiles each time a user logs in. While this means there would be some propagation delay (next time users goes through the login flow for that site) it is very simple to implement.

2. Have the OAuth2 provider send notifications to sites a user has logged into when details of their profile (including group membership) change. This would be required for integration with services such as Gitlab because changes in membership to some groups (such as Developers or Sysadmin) is extremely security sensitive and thus an immediate sync is necessary.

Due to our requirements, we'd therefore want to have Option 2, at least for some sites (at which point we may as well just implement them for all sites, as it also has a better user experience).

In terms of how Option 2 is implemented, the way I would do this would depend on the application/site in question.

For something like Gitlab, it has a full featured API which allows those with Administrator access to update account details (without needing confirmation in the case of email addresses) so working with that is the path of least resistance and requires us to do less custom code on the Gitlab side (improving the odds that things won't break in future updates, a key concern of a system like this).

For other software (such as Mediawiki, or Drupal) they lack this functionality and don't have such an API (to my knowledge at least, Mediawiki might have something, and chances are there is a Drupal module out there which provides some kind of nice API). For these applications, having our own mini protocol (where Identity sends a POST notification to an endpoint to trigger custom code to do the update on the site side) should be sufficient for our purposes.

Because OAuth2 will need custom code on the application/site side anyway, this shouldn't be an issue (while the flow may be generic, the underlying APIs you need to talk to for things like user profiles always differ, so you invariably need some kind of custom code on the consumer side even if it is relatively straight forward - hence the preference for having Identity talk to site APIs as quite a bit of software has scaffodling you can plug into for writing OAuth2 consumer plugins)

It's for the above reasons we've eliminated all of the off the shelf / existing solutions for OAuth2 providers we've evaluated so far - because none of them attempt to do profile syncing.

I looked at the blender id system as a replacement. Under the hood it's using django and the django authentication plugin

Functionalities

• Role can be created a runtime
• There is already a hook for role change (a python function is called each time the role of a user are modified)
• OAuth2
• Basic moderation functionalities (admin and moderation)
• We can put a lot of optional field with the django orm
• Badge feature (need to be disabled)

Missing functionalities

• No 2fa (could be added with https://django-two-factor-auth.readthedocs.io/en/stable/)
• No way to add field at runtime (but easy to add in the code with an ORM)
• No spam system

One of the advantage of using Django is that it's quite easy to add new feature (like 2fa and the spam system). So that from the missing functionalities, only the fact that we can add field at runtime will be really difficult to add.

Adding fields at runtime isn't something we've got a hard requirement for, so that won't be a big deal.

The lack of 2FA and abuse preventation systems is a bit more of an issue though, and we'll probably need to add the account change notifications we need to keep sites up to date with account details as they change them. Otherwise it is looking like a very good base to start from.

Do we know if it supports multiple email addresses?

In T8449#197298, @bcooksley wrote:

Adding fields at runtime isn't something we've got a hard requirement for, so that won't be a big deal.

The lack of 2FA and abuse preventation systems is a bit more of an issue though, and we'll probably need to add the account change notifications we need to keep sites up to date with account details as they change them. Otherwise it is looking like a very good base to start from.

I implemented 2FA with a django plugin in my local build, this wasn't so difficult (just some configuration change). I will need to clean it a bit and then push it to a repo in the gitlab instance. Creating a basic abuse prevention systems should not be too difficult from the identity side, but mostly from the others apps side. We will need to add hooks in gitlab that send a request to identity for each comment.

Do we know if it supports multiple email addresses?

For the moment it only supports one email addresses. That would be the use case, storing multiples emails only and one primary or doing authentication with whatever email is provided. The first case would be easy to implement (just add a custom json field in the database), the second case would be more difficult and I'm not sure it would present any advantage.

I found another problem, the blender id devs didn't explicitly add a LICENSE file to the repo (there are some mention of gpl2.0+ in the repo). I think they forgot (most of the KDE website repos don't have a LICENSE file too) but I prefer to be sure. So I created a request to add it explicitly.

Awesome, thanks for investigating all of this.

Proposal plan of action: :D

Krita would like to have an instance of fund.blender.org. Maybe we could use this opportunity to set up an instance of blender id. This would allow us to test it on production and if this work well for fund.krita.org move progressively more KDE service to it.

Does this proposal make sense?

Having an existing foundation to build anything special we have on top of would be nice yes, especially if they've already done stuff like making an initial OAuth2 provider and an API.

Our usual process for assessing software like this is to setup a testbed somewhere and have a solid look through how it works and basically give it an assessment as to:

1. Whether we think it will work for our needs in terms of what is outlined above
2. How maintainable do we think this will be in the long run
3. In terms of our compliance requirements, will it help us meet those (particularly with regards to GDPR)

In T8449#197436, @ognarb wrote:

I found another problem, the blender id devs didn't explicitly add a LICENSE file to the repo (there are some mention of gpl2.0+ in the repo). I think they forgot (most of the KDE website repos don't have a LICENSE file too) but I prefer to be sure. So I created a request to add it explicitly.

Just to note they replied and it is GPL3

Ok, I will try to provide by the end of this week a working prototype with some but not all requested features and instruction how to deploy without docker and with Apache.

Thanks for working on this Carl. For now not having all the necessary functionality working should be okay as it will be a good starting point for us to perform a good assessment of the capabilities of the system and determine what we'd need to do to satisfy the rest of our requirements.

(Side note: given the lack of this sort of thing in the open source sphere in general, it would be nice if we could make this fairly generic in the end so other projects could pick it up as well)

Current progress can be followed at https://identity.carlschwan.eu/ ;) I didn't setup sending mail yet, so let me know if you want to test it so that I can manually give you the link with the registration token.

I also added the functionality of fetching the groups available in invent and assigning groups to a user (for the moment without any effect).

What is the Nickname field used for in creating account form?

according to the comment in the code

Named 'nickname' and not 'username', because the latter already is a
'thing' in Django. Not having one, and identifying users by their email
address, was our own customisation.
Bringing back a field 'username' with different semantics would be
confusing. For example, there still is a field 'username' in the default
Django auth form that is used for 'the thing used to log in', which is
the email address in our case.

So it's not used for the login but I still need to look how it's used in the synchronization of the user data in the api

Ideally any API would use a UUID or something along those lines - we'd preferrably not rely on any human readable identifier to link accounts (which is what a username does currently with Identity, which is why it is so hard to change those)

Ok apparently it's using neither the username not the email address for the linking the two accounts since modifying both still recognized to link the account together. I suppose it's using a sort of id. I will need to take a closer look if it's just an integer or an uuid. It's quite easy to change the integer id to an uuid in a django project ;)

The nickname looks more like a legacy thing when blender id was still another completely different system using flask. But if we make it an optional field when registering, it could be nice to have since it's syncronized.

Although Blender id has a high quality of code and documentation, I'm still trying to understand some part of the code/magic :p

• The bid_api part as an api to create user (probably from blender app itself), I suppose we should remove this part. There are other parts in the API that I need to investigate for their usefulness (we won't need to support the legacy blender id API)
• The webhooks system that send USER_MODIFIED event, but I don't know with what arguments :(
• It also looks like there is a system in place to syncronized the username and email address that doesn't use the webhooks. So that after a logout and login cycle the username and email address are syncronized. I need to understand how this works ;)

So there is still a lot of things what I need to understand ;)

@ognarb thanks for working on this

An Integer ID should be fine, my main reason for that was to have something that would be uniquely identifiable across systems as being an Identity account reference.

Depending on how the API works, we could expose the internal integer ID with some kind of key prefixed on it (like how Phabricator does things). Internally it can continue to use an Integer ID of course (this UUID or equivalent change would be for clients talking to it's HTTP API only)

Ok it was a lot easier than planned to switch to UUID. Literary 3 line codes added and I don't need to modify the client library.

Next features planned is the support of multiple email addresses. I don't think it's a good idea to support login from multiple email addresses. So we will need to differentiate between secondary and primary email addresses. I suppose we should require each email addresses to be verified.

What would be the use of having multiples email addresses? Password reinitialization? Multiple points of contact?

And other implementation details questions:

• Should we support add ssh keys? I don't think so since this is already provided by gitlab but maybe for svn.
• Creating a kde developer account request should be similar with the old system or do we want something a bit different? What could we do to make it easier for us? Maybe requiring the mentor to confirm the request?
• Maybe creating other request form could be useful: translator account request with field to add svn key, and possibly more, adding this sort of form is very easy since they are mostly auto generated based on a Django database model.
• Support badge: blender id support badge that are used mostly for showing off that the user support blender financially. I quite like the feature and I think we could still use it with others badges like 'KDE developeur', 'KDE translator', 'GSoC student', 'GSoC mentor', 'KDE Sysadmin' and possibly a lot more. This could be also used as an anti spam whitelist ;)
• And how do we do the migration? Let the user register to the new system and periodically sync the permissions until we consider what all the still active devs have an account? We are not here yet but we should still start thinking about it ;)

How have you been thinking of implementing these things without diverging from upstream?

Have you discussed what they would be happy with for things they don't have a use for? Some things could probably just be enabled in the admin interface while others might need to be "plugins" maybe

If we hope other orgs will also want to use and contribute to it, how will other features be added?

In T8449#207901, @duffus wrote:

How have you been thinking of implementing these things without diverging from upstream?

We will need to diverge from upstream anyway. Since we are using KDE branding instead of blender branding for the theme, so I needed to rewrite a lot of layouts. Lucky for us, blender id doesn't get many non-cosmetic patches anymore, so it shouldn't be hard to cherry pick one or two commits per months.

Have you discussed what they would be happy with for things they don't have a use for? Some things could probably just be enabled in the admin interface while others might need to be "plugins" maybe

If we hope other orgs will also want to use and contribute to it, how will other features be added?

In regard of upstreaming our changes. We can't upstream all our changes: for example they use Phabricator when we are migrating to gitlab and switching to uuid can't be done without a complex migration system that I didn't write since we don't need it. So these patches can't be added upstream. But I will try to push more complex patches like support for multiple email addresses and support for optional 2fa to upstream and I should look into isolate the non upstreamable patch the best I can. Maybe using Model inheritance?

@ognarb - Thanks for working on this! Maybe for the next step...how hard is it going to be to get a version of it going on a KDE server? Once we get it semi-working on a KDE server, people might be able to provide better feedback too if they can start playing around with a dev site. It sounds like you already have a lot of things set up like 2FA.

This will also help if we start testing sites that might use this system like a Krita funding platform site. It will be a lot easier to test out the ID site. I kind of want to play around with some different solutions, but is a bit harder not knowing what our ID system is going to be.

I don't know if we need SSH support at the at the ID system level. That seems very specific to what an application might need. I have never logged into a website through SSH. They are always user/password combos. I would imagine that is why our Gitlab instance manages that information.

Maybe for users....anyone can make a KDE account and we can just use whatever the ID system provides. Using badges, mentors/admins can just assign the "developer" badge to the user.

Progress report :)

• I installed a docker install of Gitlab on my computer and was able to create my gitlab account with with the log in KDE Identity button :)
• I was able from the KDE Identity admin interface to grant access to a gitlab group to the newly created user :)

This is the commit introducing this change: https://invent.kde.org/carlschwan/kde-identity/commit/9818cf1e6cfbc787c031319b57bc571d66d0aab7

This will still need a bit cleaning (e.g moving the hardcoded value to config variable)

@scottpetrovic Yes we should create a test instance on KDE servers, this will depend on the time available for sysadmiin. But I wouldn't recommend the usage
of it before we have all core service adapted to it (gitlab, wikis, forum?, drupal?), a form to ask developer access and we have a migration strategy in place to migrate
our existing users.

Some news about this project:

gallien.kde.org: This is the test instance and it was deployed. (I temporary disabled the mail functionality so that nobody can't register)

docs.carlschwan.eu: This is a complete rewrite of season.kde.org using gallien.kde.org as identity provider. The repo is located here: invent.kde.org/carlschwan/season-kde-org. I need to finish the homepage and handle the multiples seasons better.

identity.carlschwan.eu: This is an instance of blender fund also configured to use gallien.kde.org as identity provider

I have extensive experience in Django, maybe in the summer I can help work in this direction.

https://gallien.kde.org/login can now be considered as nearly done.

• User accounts can now be imported from an LDAP instance and the password, permissions, and most of the user information is migrated. This will be the only manual step for them
• there is also an LDAP bridge (using ldapjs) that is provided for legacy but services should be moved to OAuth2 when possible
• 2fa now works perfectly
• there is a form to request dev access
• The project was updated to django 3.0 and I hope to migrate to django 3.1 very soon (so that we can use JSONField)

Missing is the UI to add secondary emails (but they can already be stored and imported) and the LDAP part could need a bit more testing.

I would like to propose to see if the account migration works with a real identity ldap server and if it works start migrating the wikis first because they are less critical than GitLab and already are using oauth2 (via phab) and when this is done ask the developers to migrate their account (only manual step for them) and start migrating more services.

Also I would like some beta testers, I already asked feedback to the VDG team but more is always welcome. => https://gallien.kde.org and https://doc.carlschwan.eu/ for a demo application using oauth2 (still WIP)

https://wikisandbox.kde.org authentification now works and old accounts should be recognized correctly.

The LDAP Tunnel necessary for testing the import of accounts from the production Identity system has now been implemented.

The identity import now works correctly with the production ldap server , please test it => https://gallien.kde.org/ldap/auth :)

Also the oauth2 bridge to the wikis was improved and now can handles then the primary address in identity.k.o and phabricator differs

New features of the day 😄 :

• Possibility to have a public page to display some information about the developer. This is completely opt-in and can be enabled in the user settings. For example https://gallien.kde.org/user/carlschwan/ This needs a bit more thought on the design (the badges are hideous), but in term of functionality, it is ready :)

• Possibility to have some applications that can only register users who have a certain role. This can be helpful for our usage of Nextcloud there only developers and some other users can have a NextCloud account.

• OpenID Connect implementation, I added a OpenID scope with a special endpoint that should compatible with the spec.

• I added the required API for ev.kde.org/menbers/ listing all the ev-active members.

Looking good

Is there an equivalent to https://identity.kde.org/index.php?r=people/index for looking up users and https://identity.kde.org/index.php?r=groups/index for group members yet or is that still to be implemented here or elsewhere?

Due to complaints from users in the past (complaining about their details being "made public" when they're not), any equivalent to this page should be a page only users with certain permissions can see.

In T8449#237241, @bcooksley wrote:

Due to complaints from users in the past (complaining about their details being "made public" when they're not), any equivalent to this page should be a page only users with certain permissions can see.

Yes