No question openID and oAuth are meant as web solutions. OpenStackID was
designed for integration, authentication, and data auth for OpenStack
web projects. Leaving public key auth aside for a moment, it's still
possible with curl and a parser to authenticate from the command line by
posting to openID, receiving a token, then posting back to oAuth for
authorization. Maybe it's not pretty, but it's working within the
confines of OpenStackID as it exists.
Could we/should we talk about adding ppk to OpenStackID is probably a
separate discussion that should be had. One which you've started here:
http://lists.openstack.org/pipermail/openstack-infra/2015-April/002673.html
IMO, it would be best to work within the existing system, even if it's a
bit cumbersome, and discuss how we can improve or change OpenStackID
once we get additional community input on the need for ppk.
Sergey Slypushenko wrote:
Thanks that our discussion was brought back to mailing list.
The most hard use case here is providing access to some private
resources from CLI client without using any GUI tools. As far as you
understand, CLI tool can not pass through common OpenID auth procedure
without workarounds(like opening browser, for example). Also, I think
that passing user creds in CLI client it isn't appropriate solution, too.
Using key pairs for auth from CLI looks like a good solution, because
any sensitive information won't be shared in this case. Also it should
be pretty secure. As for me, main disadvantage of this kind of auth,
that it is not implemented in OpenID/oAuth workflow(or I don't know
about that). Maybe I am missing something about OpenID/oAuth?
On. Wed, Apr 22, 2015 at 11:28 PM, Jimmy McArthur <[email protected]
<mailto:[email protected]>> wrote:
Sergey,
I looks like this mailing thread is broken. I didn't receive
your response.
I think a lot of the responses aren't getting through b/c the
Infra list was dropped from the discussion. I think it's important
to have this discussion on a public forum, so adding back in.
We thought about using tokens generated by OpenstackID, but I
didn't find how a CLI client can get such kind of token.
If you know how to get oAuth token from CLI tool, please
shared it with me.
At the moment, we have not implemented that oauth2 workflow:
https://tools.ietf.org/html/rfc6749#section-4.3 There are some
security concerns about passing credentials:
The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
As you can see, this is doable, but not something we'd prefer for
security reasons. Perhaps if you could clarify the use case? Maybe
with a bit more information, we could understand why you need to
get a token for the CLI app. It feels like this is still a desire
to use oauth2 for some type of authentication.
--
Jimmy McArthur / Tipit.net <http://tipit.net/>< [email protected]
<mailto:[email protected]>>
512.965.4846 <tel:512.965.4846>
On Mon, Apr 20, 2015 at 6:49 PM, Sergey Slypushenko
<[email protected] <mailto:[email protected]>>
wrote:
Jimmy,
Thank you for your comment! That diagram was kind of
outdated. I have updated it already.
We are planning to use OpenID for authentication and we
have been already working on it.
Regards,
Sergey
On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur
<[email protected] <mailto:[email protected]>> wrote:
Sergey,
The biggest thing that stands out is the lack of
authentication through OpenID. It appears that you're
still authenticating through oAuth2, which is against
security best practices and not how OpenStackID is
designed. For a primer on the difference and why it's
set up this way:
http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
(forgive the title, but it does a nice job of
illustrating the issue)
I'm adding Sebastian here to chime in on potential
technical details and the possibility of setting up
your own resource server. The important thing though
is to follow the steps outlined in the OpenStackID
documentation for proper authentication.
--
Jimmy McArthur / Tipit.net <http://Tipit.net><
[email protected] <mailto:[email protected]>>
512.965.4846 <tel:512.965.4846>
On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko
<[email protected]
<mailto:[email protected]>> wrote:
Here you can find slides with general user stories:
* create user account
* access to resource required user auth in Web UI
* access to resource required user auth in CLI
client
https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0
Any comments related to this topic will be very
appreciated.
Regards,
Sergey Slipushenko,
Software Developer,
Kharkiv, Ukraine,
Mirantis Inc.
_______________________________________________
OpenStack-Infra mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
_______________________________________________
OpenStack-Infra mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
