This email is intended to introduce some security discussion. One of the advantages of Thrift is the ability it will give us to integrate native-language SDKs with desktop clients. This requires though that we will need to think through our security model. In the usual browser-based use case, the user does not make direct calls to the API. These come instead from the gateway server, and we can establish a trust relationship (such as SSL mutual authentication).
For the desktop client case, users make direct calls to the Airavata API server, so we have three actors: the desktop application, the API Server, and an auth service. The Auth service performs initial authentication of the user; it is a service that is gateway-dependent. Without going into too many details, OAuth is the usual protocol for doing this. Evernote, in their Thrift API, provides this as an option. Evernote (from what I can tell) uses Thrift over HTTP, or at least uses an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, does this mean we need to implement OAuth ourselves? Thrift also has a different use case in that they are not a multi-tenanted service: they own all the accounts that they authenticate. In contrast, a single Airavata server may support several unrelated gateways. Each gateway would manage its own user accounts. What are the best options for Airavata? Marlon
