Tuesday, 2023/08/22
10:00 am ET
Terrell Russell, Kory Draughn, Alan King, Martin Flores, Harry Kodden (SURF), Tony Edgin (CyVerse), Claudio Cacciari (SURF)
DISCUSSION
- New server-side function for verifying credentials without logging in
- For native authentication, to be used alongside rc_switch_user (coming in 4.3.1)
- Merged
- OIDC/OAuth2 in HTTP API
- Active PR - irods/irods_client_http_api#75
- Options for handling errors
- Currently planning to log a lot and return the error to the client
- Anything else that needs to be done? Should be done? Nice to have?
- Possibly additional loggers for OIDC vs 'main server'
- Alternative user mapping plugins… using OIDC claim information at the moment
- Could be a variable that is checked, rather than hard-coded name
- Noticed the 'sub' doesn't change / persistent across logins
- Could be in a static local file mapping
- SURF has/had a configuration file that held the mapping
- Static per-provider…
- A little dynamic - could be regular expression match on names
- Or per dept, etc. due to what information comes back from OIDC provider
- Planning new work around 'state' in the HTTP API
- Going with UUID for now, unless better ideas / concerns
- Does the HTTP API / OIDC work affect the PAM interactive work in any way?
- pam_password is a subset of pam_interactive
- PAM (behind iRODS) cannot handle the web-friendly OIDC flows
- An iRODS server could be set up with both, but a particular user probably will not see 'both'
- Harry's ready to test it all out.
- SURF - honoring a refresh token? Not yet, will add to the list
- Honoring a timeout/expiry time
- Honoring a sidechannel logout
- Next Meeting
- Sept 2023