Tuesday, 2021/01/26
10:00 am ET
Terrell Russell, Dave Fellinger, Alan King, Jason Coposky, Bo Zhou, Kory Draughn, Ton Smeele (Utrecht University), Lazlo Westerhof (Utrecht University), Deep Patel (NIEHS), Mike Conway (NIEHS), Claudio Cacciari (SURFsara)
DISCUSSION
- First meeting since October 2020
- Utrecht and SURF probably waiting for official inclusion
- 4.2.9 won't include this work
- 4-2-stable branch
- 4.3.0 will have client-driven auth plugins (we have 4-5 to port)
- master branch
- By UGM2021 (June)
- 4.2.9 won't include this work
- Utrecht using PAM Python plugin with OIDC to get MFA login on web portal
- Still investigating (together with SURF) options to implement MFA on iCommands / webdav (davRods)
- MFA handled at the OIDC layer, just a token to iRODS
- Keycloak still to be investigated
- Metalnx and OIDC… is that possible/easy?
- Using Spring security, could use existing plugins for OIDC
- Future need to have iRODS reflect consistent users/groups from elsewhere
- Currently available for Kerberos through distinguished user
- Need more flexible approach (iadmin aua) for other authentication mechanisms
- String based - attribute set on the user (metadata, or in user table)
- OIDC email as token available via PAM - has to match (current workaround)
- Will need to implement the client-side flow in both Java (Jargon) and Python (PRC)
- Alongside master branch development
- This authentication flow design has influenced the new iRODS CLI
- https://github.com/irods/irods_client_cli
- Easier for client libraries to implement and maintain