Sorry for the delayed reply. I was swamped with some assignments and personal commitments.
On Mon, Feb 17, 2014 at 11:18 AM, Sachith Withana <[email protected]>wrote: > The whole problem arises because we need to authenticate the client. > > In mutual authentication, you need to setup the server as well to support > each and every client.( by adding certificates manually). But scalability > can be an issue here? > > In terms of having a public API, Google, Evernote and Amazon web services > uses OAuth 2.0 to authenticate the client. > And Evernote is using Thrift as well. > How do they use thrift ? Without having an understanding about architecture of those applications its hard to say their security implementation also suites to Airavata. > > I thought in terms of the SciGap perspective ( it can also support the > current use case scenarios). > > But as you mentioned, it can make things more complicated. ( Since whoever > is using the thrift client would have to program to use the Oauth) > > For learning purposes : In terms of the operation, doesn't these two do the > same thing? ( Oauth coupled with server public key authentication vs mutual > authentication using certificates) ( apart from the fact that OAuth > supports delegation ?) > I dont think so ... > > User is delegating the thrift client to use the server right? > I am sorry, I dont understand what you meant here. Usually if you want to grant some third party to access a server to get something done on behalf of you then you use OAuth. In the case of SciGap I dont see an entity providing 3rd party access onbehalf of some other entity. Am I missing something from big picture ? SciGap is multi-tenant airavata. So there should be a registration step for each gateway. During the registration step we can establish the mutual authentication by exchanging server and client certificates. Therefore I think for SciGap case also mutual authentication matches. Thank you Regards Thejaka Amila / > > > > > On Mon, Feb 17, 2014 at 11:01 AM, Amila Jayasekara > <[email protected]>wrote: > > > On Mon, Feb 17, 2014 at 10:36 AM, Sachith Withana <[email protected] > > >wrote: > > > > > Hi all, > > > > > > We are exploring the options on securing the Thrift API. > > > > > > Our objective is to authenticate the server and authorize the client. > > > > > > > What do you mean by authorizing client ? > > > > > > > > The options we are exploring are > > > > > > 1. mutual authentication using client and server certificates > > > > > > > This seems to be a good fit according to my understanding. > > > > > > > > > > 2. Use the server certificate to setup a SSL communication and use > OAuth > > > 1or 2 for the client Authorization > > > > > > > I dont see a requirement for doing this. Usually we use OAuth when we > need > > delegation. I am not clear how a delegation model fits here. Also it make > > things complicated. > > > > Thanks > > Amila > > > > > > > > > > Any suggestions on this matter are highly appreciated! > > > > > > -- > > > Thanks, > > > Sachith Withana > > > > > > > > > -- > Thanks, > Sachith Withana >
