Re: [OpenStack-Infra] Refstack workflow discussion. Using OpenstackID as auth provider for application with Web UI and CLI client

[Jimmy Mcarthur]

Sergey,

Great news! Thanks for the update on OpenID.
Our other question is around the workflow for the Authorization tokens. 
It seems like you're bypassing oAuth2 on OpenStackID in order to manage 
the authorization on the refstack client. Why not utilize OpenStackID 
for both openid and oAuth2? Basically create the authorization tokens on 
the OpenStackID side and create your own resources server as gatekeeper 
of you API and validate oauth2 tokens against introspection endpoint 
(http://ci.openstack.org/openstackid/oauth2.html#token-introspection).

Thoughts?

Thanks,
Jimmy



Sergey Slypushenko wrote:
Jimmy,

Thank you for your comment! That diagram was kind of outdated. I have 
updated it already.
We are planning to use OpenID for authentication and we have been 
already working on it.

Regards,
Sergey



On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <ji...@tipit.net 
<mailto:ji...@tipit.net>> wrote:

    Sergey,

    The biggest thing that stands out is the lack of authentication
    through OpenID. It appears that you're still authenticating
    through oAuth2, which is against security best practices and not
    how OpenStackID is designed. For a primer on the difference and
    why it's set up this way:
    
http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
    (forgive the title, but it does a nice job of illustrating the issue)

    I'm adding Sebastian here to chime in on potential technical
    details and the possibility of setting up your own resource
    server. The important thing though is to follow the steps outlined
    in the OpenStackID documentation for proper authentication.

    --
    Jimmy McArthur / Tipit.net <http://Tipit.net>< ji...@tipit.net
    <mailto:ji...@tipit.net>>
    512.965.4846 <tel:512.965.4846>


    On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko
    <sslypushe...@mirantis.com <mailto:sslypushe...@mirantis.com>> wrote:

        Here you can find slides with general user stories:

          * create user account
          * access to resource required user auth in Web UI
          * access to resource required user auth in CLI client

        
https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0

        Any comments related to this topic will be very appreciated.

        Regards,
        Sergey Slipushenko,

        Software Developer,
        Kharkiv, Ukraine,
        Mirantis Inc.


        _______________________________________________
        OpenStack-Infra mailing list
        OpenStack-Infra@lists.openstack.org
        <mailto:OpenStack-Infra@lists.openstack.org>
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra



_______________________________________________
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra