Skip to content

Latest commit

 

History

History
38 lines (30 loc) · 1.94 KB

20200922-minutes.md

File metadata and controls

38 lines (30 loc) · 1.94 KB

Authentication Working Group Minutes

Tuesday, 2020/09/22

10:00 am ET

Attendees:

Terrell Russell, Jason Coposky, Kory Draughn, Alan King, Daniel Moore, Stefan Wolfsheimer (SURFsara), Mike Conway (NIEHS), Ton Smeele (Utrecht University), Claudio Cacciari (SURFsara)

Minutes

SUMMARY:

DISCUSSION

  • Discussed last month's update and progress
  • SURF still have a couple open questions on the client side
    • working - stored JSON on client side, set of responses from IDP/PAM service, allow reuse with the iRODS service until it times out itself… but if expired token, then re-authenticate via PAM
    • No encryption of the token on client side… yet
  • Possible single-signout / logout
    • How to disable/invalidate existing tokens
    • May be protocol-dependent
    • Should it be 'iexit' that does this? Some other operation/endpoint?
    • Is there ever a use case for leaving the temporary password in the iRODS table… no, safer to always get rid of it - force them to reauthenticate anyhow.
  • Eventually/Now - move to JWTs for all tokens we handle inhouse
    • Would replace the current temporary passwords / .irodsA files
    • Already encrypted on the client, well-supported by existing libraries
    • Are we just recreating keycloak? (or punt to it?)
  • Nice intro to OAuth2 and OIDC - https://youtu.be/996OiexHze0
  • Possible move SURF external PAM handshake service to set of iRODS microservices that can be called from the server-side auth plugin - and this removes the need for the external software.
  • Want to make sure all the icommands can pick up and retry on an expired token
    • getenv() should be able to return the name of the requesting client (icp/iput, etc)
    • Can store this in the shared state, send it back to the server
  • Investigate going all in on keycloak
    • No new code!