Skip to content

Latest commit

 

History

History
118 lines (80 loc) · 4.06 KB

20230328-minutes.md

File metadata and controls

118 lines (80 loc) · 4.06 KB

Authentication Working Group Minutes

Tuesday, 2023/03/28

10:00 am ET

Attendees:

Terrell Russell, Kory Draughn, Alan King, Martin Flores, Justin James, Tony Edgin (CyVerse), Mike Conway (NIEHS), Harry Kodden (SURF), Claudio Cacciari (SURF), Sai Poomdla (Sanger)

Minutes

SUMMARY:

DISCUSSION

  • pam_interactive
    • Alan: working in Stefan's repository, PR open, tweaks for building against 4.3.1pre and builder image to accept custom iRODS packages (pre-release)
      • Started a test suite for the pam_interactive plugin (similar to other plugins we release)
      • irods/irods_auth_plugin_pam_interactive#2
      • Have started working to implement pam_password via pam_interactive
        • Possible future of ONLY pam_interactive... would have to be shown as backwards compatible
  • OIDC/oauth2 in REST C++ API
    • Martin: getting familiar with the specs/standards, expect/plan to handle the auth with OIDC
      • then continue to proxy the proven user via rodsadmin from API to iRODS server
      • Could alternatively send the oauth access token to the iRODS server and let the pam plugins authenticate/verify directly
        • no need for rodsadmin proxy
        • audit considerations are important
      • Definitely will be drawing diagrams for these flows
  • Keycloak integrations
    • Mike: iRODS DRS (GA4GH) working to get it part of the testing suite
    • Harry: keycloak for testing, but stick to the standards for assumptions
  • Claudio: irods temporary password in irodsA file, related bug is two-weeks age of token
    • Conflicts with the temporary password (could go beyond the max two-week requirement)
    • Solution1: temporary could be very small... 1h? 2w is too long
    • Solution2: pam module could dynamically reset the password
      • When the token expires, automatically reset the temporary pam password
      • Might need a new issue to capture this
    • Issues: https://servicedesk.surf.nl/wiki/display/WIKI/iRODS+-+known+issues
  • Next Meeting
    • April 2023

SUGGESTION:

Bash script to interact with a keycloak instance, will get access token - to demonstrate the OIDC flow

#!/bin/bash


IDP_URL="https://keycloak.exp.sram.lab.surf.nl/realms/demo"
CLIENT_ID="device-auth"
SCOPE="openid"


configuration=$(curl --silent --request GET --url "${IDP_URL}/.well-known/openid-configuration")


device_authorization_endpoint=$(echo "$configuration" | jq -r '.device_authorization_endpoint')
token_endpoint=$(echo "$configuration" | jq -r '.token_endpoint')
token_introspection_endpoint=$(echo "$configuration" | jq -r '.token_introspection_endpoint')
userinfo_endpoint=$(echo "$configuration" | jq -r '.userinfo_endpoint')


response=$(curl --silent --request POST \
 --url "${device_authorization_endpoint}" \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data "client_id=${CLIENT_ID}" \
 --data "scope=${SCOPE}")


COLOR='\033[1;33m' # Yellow
BLANK='\033[0m' # No Color


verification_uri_complete=$(echo $response | jq -r '.verification_uri_complete')
device_code=$(echo $response | jq -r '.device_code')
expires_in=$(echo $response | jq -r '.expires_in')
interval=$(echo $response | jq -r '.interval')


echo "Click on this link to proceed..."
echo -e "${COLOR}$verification_uri_complete${BLANK}"


while [ $expires_in -gt 0 ]
do
 sleep $interval
 expires_in=$((expires_in-interval))


 response=$(curl --silent --request POST \
   --url "${token_endpoint}" \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data client_id="${CLIENT_ID}" \
   --data device_code="${device_code}" \
   --data grant_type=urn:ietf:params:oauth:grant-type:device_code)


 if echo $response | jq -e 'has("access_token")' > /dev/null; then
   access_token="$(echo "${response}" | jq -r '.access_token')"


   echo $access_token


   break
 fi


done