Skip to content

Latest commit

 

History

History
40 lines (31 loc) · 1.65 KB

20210126-minutes.md

File metadata and controls

40 lines (31 loc) · 1.65 KB

Authentication Working Group Minutes

Tuesday, 2021/01/26

10:00 am ET

Attendees:

Terrell Russell, Dave Fellinger, Alan King, Jason Coposky, Bo Zhou, Kory Draughn, Ton Smeele (Utrecht University), Lazlo Westerhof (Utrecht University), Deep Patel (NIEHS), Mike Conway (NIEHS), Claudio Cacciari (SURFsara)

Minutes

SUMMARY:

DISCUSSION

  • First meeting since October 2020
  • Utrecht and SURF probably waiting for official inclusion
    • 4.2.9 won't include this work
      • 4-2-stable branch
    • 4.3.0 will have client-driven auth plugins (we have 4-5 to port)
      • master branch
      • By UGM2021 (June)
  • Utrecht using PAM Python plugin with OIDC to get MFA login on web portal
    • Still investigating (together with SURF) options to implement MFA on iCommands / webdav (davRods)
    • MFA handled at the OIDC layer, just a token to iRODS
  • Keycloak still to be investigated
  • Metalnx and OIDC… is that possible/easy?
    • Using Spring security, could use existing plugins for OIDC
  • Future need to have iRODS reflect consistent users/groups from elsewhere
    • Currently available for Kerberos through distinguished user
    • Need more flexible approach (iadmin aua) for other authentication mechanisms
      • String based - attribute set on the user (metadata, or in user table)
      • OIDC email as token available via PAM - has to match (current workaround)
  • Will need to implement the client-side flow in both Java (Jargon) and Python (PRC)
    • Alongside master branch development
  • This authentication flow design has influenced the new iRODS CLI