NotesOnSSO2020 < IVOA

IVOA Web>IvoaInteropPOC>InterOpMay2020>InterOpMay2020GWS>NotesOnSSO2020 (2020-05-08, PaulHarrison) (raw view)
<br /> <!--
      * Set ALLOWTOPICRENAME = IVOA.TWikiAdminGroup
-->

<div id="magicdomid30">

---+ SINGLE SIGN ON Session
</div> <div id="magicdomid4421">Participants: 80</div> <div id="magicdomid100">Sara Bertocco is making the introductory presentation:</div> <div id="magicdomid103"></div> <div id="magicdomid153">Current specification is based on existing standards:</div> <div id="magicdomid204">More than one method available</div> <div id="magicdomid213">Discussion in Groningen</div> <div id="magicdomid399">Some example of SSO has been discussed (CADC, LSST etc.): they are using tokens. The problem for apps is how to get the token. Markus proses the tokenGetter attribute.</div> <div id="magicdomid446">Good but it remains some open questions:</div> <div id="magicdomid476">1) how to retunr the token?</div> <div id="magicdomid530">2) how many token Getter may I have?</div> <div id="magicdomid569">3) federated auth? JSON token signed.</div> <div id="magicdomid731">Credential Delegation: different apps should be able to work togeter. Now X509, what happens with tokens?</div> <div id="magicdomid783">Credential Delegation necessary also for authz: Group Managment.</div> <div id="magicdomid852">Pat Dowler (and Brian M and Mark T) presentation on CADC proposal:</div> <div id="magicdomid1060">Services describe the auth method (securitymethod) they support (including anonymous). Client can use anyone of them.</div> <div id="magicdomid1062">In SSO v2 the x509 cert is for a global sso.</div> <div id="magicdomid1169">The problem is how and where to login.</div> <div id="magicdomid1133">1) url for endpoint</div> <div id="magicdomid1142">2) APIs</div> <div id="magicdomid1166">3) credential endpoint</div> <div id="magicdomid1313">Proposed solutions:</div> <div id="magicdomid1319">a) to use VOSI cabability: client reads the VOSI cap to undestand how to auth, not so easy</div> <div id="magicdomid1551">b) HTTP header. WWW-Authenticate to extend with the SSO securityMethod and accessURL</div> <div id="magicdomid1629">What happens if a server use Auth and Anon access?</div> <div id="magicdomid1916">Christine B.: On Rubin observatory they have a proxy that rederect users when you not have a valid token. Negotiation is tricky, and also for clients, if you have multiple credential the problem could be how to decide what to use.</div> <div id="magicdomid2078">Pat: CADC has a similar proxy to riderect, but when a cli calls it, it is a problem, browsers are more easy to work with proxies.</div> <div id="magicdomid2100">Christine B.: proxy (MISSING...)</div> <div id="magicdomid2150"></div> <div id="magicdomid1344"></div> <div id="magicdomid1362"> *Questions:* </div> <div id="magicdomid1538">Jesus: In case of, e.g. basic authentication, is there a standard way to say to the client the parameters</div> <div id="magicdomid2151">names for "username" and "password"? (or, are the name standardized?)</div> <div id="magicdomid2154"></div> <div id="magicdomid2407">1) if you have a mix endpoint you can use a dummy authentication</div> <div id="magicdomid2360">2) standardize Useranme and passwd but maybe uname and pass is not</div> <div id="magicdomid2657">We can have in the Registry the description of the secutiry Method. User the registry to find the scope of the credentials, so that the client do not send tokens when not necessary. Prefer to use WWW-Auth.</div> <div id="magicdomid2701">Russ A: what is the goal of this approach?</div> <div id="magicdomid2809">Pat: some of the SSO methods are reccomendations to use on services.</div> <div id="magicdomid2963">there are a lot of usecases where you are not using a browser, but there are command line clients in particular on computing.</div> <div id="magicdomid3112">Russ: what happens on bach jobs when it is not a user to manage them?</div> <div id="magicdomid3158">MISS THIS PART</div> <div id="magicdomid3160"></div> <div id="magicdomid3283">Mark T.: Support the WWW-Auth... because putting the securitMethod is more complex for Apps.</div> <div id="magicdomid3286"></div> <div id="magicdomid3594">Christine B.: Auth and Datalink can be tricky.</div> <div id="magicdomid3597"></div> <div id="magicdomid3775">Stanislaw P: rise a security problem on the way we can use token....</div> <div id="magicdomid3768">Sonia: he is talking about CSRF (Cross Site Request Forgery) (thanks)</div> <div id="magicdomid4423">Sonia: Why not just use BasicAuth instead of programmatically perform a POST on a form?</div> <div id="magicdomid4424"></div> <div id="magicdomid3859">Christine B.: what about federated auth?</div> <div id="magicdomid3862"></div> <div id="magicdomid4031">Rass A.: CSRF implication is that you should have different end-point for non-interactibe and browser.</div> <div id="magicdomid4034"></div> <div id="magicdomid4287">Greg Sleap: would like to implement data link, TAP is anonymous but datalink must be authenticated, we use edugain orcid, so federated. Local account is only for users that do not have fed accounts.</div> <div id="magicdomid4409"></div> <div id="magicdomid4417">++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</div> <div id="magicdomid4399"> *ACTION:* prototy WWW-Auth.... on client servers prototype. OAuth is a good starting point.</div> <div id="magicdomid4398"> *VOLUNTEER*:</div> <div id="magicdomid4338">Pat and Brian from CADC</div> <div id="magicdomid4358">Mark Taylor</div> <div id="magicdomid4370">Sara Bertocco</div> <div id="magicdomid4408">Dave Morris - happy to contribute with server side prototypes</div> <div id="magicdomid4406">Sonia Zorba : At INAF-IA2 we are using OAuth2 too, we can contribute with the prototyping</div>

Paul Harrison
<div id="magicdomid4418">++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</div> <div id="magicdomid4414"></div> <div id="magicdomid4416"></div>
Topic revision: r2 - 2020-05-08 - PaulHarrison
IVOA
Log in or Register
IVOA.net
Wiki Home
WebChanges
WebTopicList
WebStatistics
Twiki Meta & Help
IVOA
Know
Main
Sandbox
TWiki
TWiki intro
TWiki tutorial
User registration
Notify me
Working Groups
Interest Groups
Time Domain
Committees
Stds&Procs
www.ivoa.net
Documents
Events
Members
XML Schema