Tuesday, 2023/03/28
10:00 am ET
Terrell Russell, Kory Draughn, Alan King, Martin Flores, Justin James, Tony Edgin (CyVerse), Mike Conway (NIEHS), Harry Kodden (SURF), Claudio Cacciari (SURF), Sai Poomdla (Sanger)
DISCUSSION
- pam_interactive
- Alan: working in Stefan's repository, PR open, tweaks for building against 4.3.1pre and builder image to accept custom iRODS packages (pre-release)
- Started a test suite for the pam_interactive plugin (similar to other plugins we release)
- irods/irods_auth_plugin_pam_interactive#2
- Have started working to implement pam_password via pam_interactive
- Possible future of ONLY pam_interactive... would have to be shown as backwards compatible
- Alan: working in Stefan's repository, PR open, tweaks for building against 4.3.1pre and builder image to accept custom iRODS packages (pre-release)
- OIDC/oauth2 in REST C++ API
- Martin: getting familiar with the specs/standards, expect/plan to handle the auth with OIDC
- then continue to proxy the proven user via rodsadmin from API to iRODS server
- Could alternatively send the oauth access token to the iRODS server and let the pam plugins authenticate/verify directly
- no need for rodsadmin proxy
- audit considerations are important
- Definitely will be drawing diagrams for these flows
- Martin: getting familiar with the specs/standards, expect/plan to handle the auth with OIDC
- Keycloak integrations
- Mike: iRODS DRS (GA4GH) working to get it part of the testing suite
- To keep iRODS visible / relevant to the GA4GH community
- https://github.com/michael-conway/irods-ga4gh-dos
- Harry: keycloak for testing, but stick to the standards for assumptions
- Mike: iRODS DRS (GA4GH) working to get it part of the testing suite
- Claudio: irods temporary password in irodsA file, related bug is two-weeks age of token
- Conflicts with the temporary password (could go beyond the max two-week requirement)
- Solution1: temporary could be very small... 1h? 2w is too long
- Intended to be configurable... but bug is that it doesn't work quite right
- irods/irods#3742
- irods/irods#5096
- Solution2: pam module could dynamically reset the password
- When the token expires, automatically reset the temporary pam password
- Might need a new issue to capture this
- Issues: https://servicedesk.surf.nl/wiki/display/WIKI/iRODS+-+known+issues
- Next Meeting
- April 2023
SUGGESTION:
Bash script to interact with a keycloak instance, will get access token - to demonstrate the OIDC flow
#!/bin/bash
IDP_URL="https://keycloak.exp.sram.lab.surf.nl/realms/demo"
CLIENT_ID="device-auth"
SCOPE="openid"
configuration=$(curl --silent --request GET --url "${IDP_URL}/.well-known/openid-configuration")
device_authorization_endpoint=$(echo "$configuration" | jq -r '.device_authorization_endpoint')
token_endpoint=$(echo "$configuration" | jq -r '.token_endpoint')
token_introspection_endpoint=$(echo "$configuration" | jq -r '.token_introspection_endpoint')
userinfo_endpoint=$(echo "$configuration" | jq -r '.userinfo_endpoint')
response=$(curl --silent --request POST \
--url "${device_authorization_endpoint}" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data "client_id=${CLIENT_ID}" \
--data "scope=${SCOPE}")
COLOR='\033[1;33m' # Yellow
BLANK='\033[0m' # No Color
verification_uri_complete=$(echo $response | jq -r '.verification_uri_complete')
device_code=$(echo $response | jq -r '.device_code')
expires_in=$(echo $response | jq -r '.expires_in')
interval=$(echo $response | jq -r '.interval')
echo "Click on this link to proceed..."
echo -e "${COLOR}$verification_uri_complete${BLANK}"
while [ $expires_in -gt 0 ]
do
sleep $interval
expires_in=$((expires_in-interval))
response=$(curl --silent --request POST \
--url "${token_endpoint}" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id="${CLIENT_ID}" \
--data device_code="${device_code}" \
--data grant_type=urn:ietf:params:oauth:grant-type:device_code)
if echo $response | jq -e 'has("access_token")' > /dev/null; then
access_token="$(echo "${response}" | jq -r '.access_token')"
echo $access_token
break
fi
done