GWS Teleconference 19-12-2019

  • GT introduce the discussion - we need to update 2 documents - SSO, CDP and finalize GMS.
  • Discussion about GMS proposed standard.
    • Brian (BM) is presenting the actual status of the GMS and how it is interconnected with CDP and SSO.
    • BM suggests that there is a general pattern (true for any IVOA service not only GMS): when you make a remote service call you need to first check if you need to delegate credentials first. Maybe that can be introduced in any IVOA service. The service must advertize which kind of delegation it is supporting (X509 or whatever)
    • The delegation chain cannont be defined a priori (there can be a set of cooperating services). The user must be aware of that.
    • GT - Two implementations: GMS@CADC and GMS@IA2(?) we must have them to promote the standard.
  • CDP:
    • Delegation based on token is the next step. Sonia Zorba (SZ) and Christine Banek (CB) are discussing some features needed to make it work properly: delegation and renewal (now the TTL of the token is 1h) that are available in OAUTH. CB introduce the use of tokens in LSST, tokens are associated with claims so that you can specify the service a specific token can be used for (e.g. this token works only for TAP), in this case the caller must know where the token is used.
    • BM how the user can potentially see all the actions that are required for doing some requestes: multiple claims. How can we do that? Can we use the capabilities?
    • CB The token are signed and you should trust who sign the token
    • SB there are services that distributes pub keys for decript tokens. CB we can trust them so that you know the token.
    • SZ do we want to use simple token realy or the oauth token exchange standard.
  • SSO: we discuss about improving the doc introducing attributes to securitymethod (Markus suggesion) to simplify the use of the standards for applications.
    • Markus propoted the "token getter" so a link to a URL we ca use to "get the token" or provide the auth credentials, or when you pass the cookie name you need to say what the name should be.
    • Identify the missing info in the document for each method.
    • BM Use case could be TopCat access TAP service with GMS and auth with tokens. Maybe using Python. CADC is working on Token support. We need a use case also to update the SSO.
ACTIONS

* SSO prototype the attributes (Sara Bertocco) to update the SSO2.1

* GMS work on the new standard beeing agnostic on the CDP (only mention the need of the a CDP) (BM) and we need a second implementation (SZ)

* Note on token delegation (SZ?, BM?, CB?)

* CDP much more work to extend to tokens. It requires token claims, trust, token delegation, token renewal and more (SZ, BM, CB).

Topic revision: r1 - 2020-02-12 - GiulianoTaffoni
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback