Tuesday, 2020/08/25
10:00 am ET
Terrell Russell, Jason Coposky, Kory Draughn, Alan King, Daniel Moore, Ton Smeele (Utrecht University), Lazlo Westerhof (Utrecht University), Mike Conway (NIEHS), Brett Hartley (Sanger)
STATUS
- Native - complete - demonstrated with Jason's initial example
- PAM - complete? - demonstrated with Stefan's work
- OpenID Connect - TODO?
- Kerberos - TODO?
- S3-like access/secret key auth - TODO?
- Okta (Sanger already using internally for other services)
DISCUSSION
-
Integration back into iRODS server… seems to make the most sense as new default for 4.3.0? All authentication plugins would need to be updated to use this new flow.
-
OpenID Connect is 'outside iRODS', similar to kerberos… the id that is being used by the identity provider may be different from the id in iRODS… need to consider the mapping between internal and external systems. Other systems have multiple possible mappings, (userid, method, token) tuple to resolve who from where.
- iRODS could externalize the mapping itself, and possibly ship with a sidecar service to handle this for iRODS native - but would be easier to swap/integrate with other external services. This could all be part of 'how do we validate this user' question… authentication could be externalized completely.
- Open question - should it be one-to-one… or good to be flexible to have multiple external ids into iRODS username.
- The one-to-one identity provider itself could be a many-to-one service. This seems the best approach today.
- Open question - should it be one-to-one… or good to be flexible to have multiple external ids into iRODS username.
- iRODS could externalize the mapping itself, and possibly ship with a sidecar service to handle this for iRODS native - but would be easier to swap/integrate with other external services. This could all be part of 'how do we validate this user' question… authentication could be externalized completely.
-
SURF code is currently looking at a PAM-backed flow - Utrecht and SURF looking at using Apache/OpenID authentication then a trusted username presented to iRODS… which might be handled just via a proxy account. Influenced by owncloud, OpenID integrated into a webDAV client. This approach would be similar to keycloak and NFSRODS.