Jimmy, Thanks a lot for your efforts!
But how we can verify that data from OpenID endpoint received from an openstackid.org endpoint rather than from somewhere else? On Mon, Apr 20, 2015 at 8:20 PM, Jimmy Mcarthur <[email protected]> wrote: > Sergey, > > Great news! Thanks for the update on OpenID. > > Our other question is around the workflow for the Authorization tokens. It > seems like you're bypassing oAuth2 on OpenStackID in order to manage the > authorization on the refstack client. Why not utilize OpenStackID for both > openid and oAuth2? Basically create the authorization tokens on the > OpenStackID side and create your own resources server as gatekeeper of you > API and validate oauth2 tokens against introspection endpoint ( > http://ci.openstack.org/openstackid/oauth2.html#token-introspection). > > Thoughts? > > Thanks, > Jimmy > > > > Sergey Slypushenko wrote: > > Jimmy, > > Thank you for your comment! That diagram was kind of outdated. I have > updated it already. > > We are planning to use OpenID for authentication and we have been already > working on it. > > Regards, > Sergey > > > > On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <[email protected]> wrote: > >> Sergey, >> >> The biggest thing that stands out is the lack of authentication through >> OpenID. It appears that you're still authenticating through oAuth2, which >> is against security best practices and not how OpenStackID is designed. For >> a primer on the difference and why it's set up this way: >> http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/ >> (forgive the title, but it does a nice job of illustrating the issue) >> >> I'm adding Sebastian here to chime in on potential technical details and >> the possibility of setting up your own resource server. The important thing >> though is to follow the steps outlined in the OpenStackID documentation for >> proper authentication. >> >> -- >> Jimmy McArthur / Tipit.net < [email protected]> >> 512.965.4846 >> >> >> On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko < >> [email protected]> wrote: >> >>> Here you can find slides with general user stories: >>> >>> - create user account >>> - access to resource required user auth in Web UI >>> - access to resource required user auth in CLI client >>> >>> >>> https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0 >>> >>> Any comments related to this topic will be very appreciated. >>> >>> Regards, >>> Sergey Slipushenko, >>> >>> Software Developer, >>> Kharkiv, Ukraine, >>> Mirantis Inc. >>> >>> >>> _______________________________________________ >>> OpenStack-Infra mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra >>> >>> >> > > _______________________________________________ > OpenStack-Infra mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra > >
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
