I was trying to write a pure Javascript client hosted on a different domain. As you mentioned earlier JSONP is a potential solution, but it will not work with POST requests.
Cross-site forgery issues need to be thought through carefully. I don't believe they are insurmountable though - it isn't like OpenStack uses session-based authentication where a cookie will automatically be sent authorising the request. The user will need to enter their username & password somewhere to generate the authentication token, and that will need to be passed with every request. Nick On Tue, Apr 24, 2012 at 5:50 AM, Tres Henry <[email protected]> wrote: > Sorry, meant to say "server-less client applications". The OP is trying to > create a client-side JS application that communicates directly to an OS > endpoint (specifically trystack). I believe his problem is same origin > policy, not authentication. > > On Apr 23, 2012, at 12:33 PM, Adam Young wrote: > > > On 04/23/2012 01:13 PM, Tres Henry wrote: > >> Adam, in what way should the OS API support server-less clients? AFAIK > the options are CORS or JSONP, no? > > > > I am not quite sure what you mean by serverless clients, but I think > the answer to this is getting a real Single Sign On solution, which is > based on: > > > > 1. Kerberos, > > 2. X509 > > > > Kerberos is likely a non starter for Web applications due to some > current issues with handling multiple TGTs and also cross firewalls > (Kerberso tickets must get served out on port 88 without jumping through > considerable hoops.) > > > > I've written up about X509 support here: > > http://wiki.openstack.org/PKI > > > > I think that X509 Client Authentication is the right long-term approach > for what we are doing. Specifically, short term X509 certificates > replacing the Keystone tokens as the mechanism for SSO. > > > > > >> > >> On Apr 23, 2012, at 5:50 AM, Adam Young wrote: > >> > >>> I see this as a feature, not a drawback. The inability to access > portions of the HTTP protocol is there to defend against attacks such as > cross site request forgeries. If we suppress that mechanism, we open up a > lot of security holes. > >>> > >>> > >>> On 04/23/2012 06:09 AM, Adrian Smith wrote: > >>>> The authentication request returns X-Storage-Url and X-Auth-Token > >>>> headers. For the JS client to see them they need to be referenced in > >>>> Access-Control-Expose-Headers. As of the last time checked, both these > >>>> headers were being stripped from the response before being presented > >>>> to JS. > >>>> > >>>> Adrian > >>>> > >>>> > >>>> On 23 April 2012 10:35, Nick Lothian<[email protected]> wrote: > >>>>> Hi Adrian, > >>>>> > >>>>> Good to know this is a known issue. > >>>>> > >>>>> Why does the client need to see custom headers from the server > anyway? > >>>>> I know the client needs to pass the authorisation header to the > server, but > >>>>> I haven't seen any of the APIs yet that return custom headers. (It's > likely > >>>>> I'm missing them though) > >>>>> > >>>>> Nick > >>>>> > >>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<[email protected]> wrote: > >>>>>> Hi Nick, > >>>>>> > >>>>>> I did some work with CORS a few months back [1]. > >>>>>> > >>>>>> At the time I couldn't get any browser to work properly with CORS > so I > >>>>>> just parked the code. The problem was lack of support for the > >>>>>> Access-Control-Expose-Headers header. > >>>>>> > >>>>>> According to the Chrome bug report [2] this issue may well be fixed > >>>>>> now so I need to retest. > >>>>>> > >>>>>> Adrian > >>>>>> > >>>>>> [1] > >>>>>> > http://www.mail-archive.com/[email protected]/msg07219.html > >>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338 > >>>>>> > >>>>>> > >>>>>> On 23 April 2012 06:19, Nick Lothian<[email protected]> > wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I've been playing with the Nova APIs from Javascript, and I've run > into > >>>>>>> a > >>>>>>> problem. > >>>>>>> > >>>>>>> The very first thing one needs to do to use the APIs is to get a > token. > >>>>>>> > >>>>>>> That requires a POST to the API endpoint. Using curl& trystack > that > >>>>>>> looks > >>>>>>> like this: > >>>>>>> > >>>>>>> $ curl -k -X 'POST' -v > https://nova-api.trystack.org:5443/v2.0/tokens -d > >>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>", > >>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json' > >>>>>>> > >>>>>>> > >>>>>>> The Javascript equivalent (using JQuery) is: > >>>>>>> > >>>>>>> $.ajax({ > >>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens";, > >>>>>>> type: 'POST', > >>>>>>> headers: {"Content-Type": "application/json"}, > >>>>>>> data: > {"auth":{"passwordCredentials":{"username":"<username>", > >>>>>>> "password":"<password>"}}}, > >>>>>>> success: function(data) { alert(data); } > >>>>>>> }); > >>>>>>> > >>>>>>> That fails because the call is cross-domain, and Nova doesn't > support > >>>>>>> CORS > >>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) > .<script> > >>>>>>> based > >>>>>>> cross-domain requests only supports GET requests, so that doesn't > work > >>>>>>> either. > >>>>>>> > >>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, > but > >>>>>>> I'm > >>>>>>> really hoping someone can point out something obvious I'm missing > here. > >>>>>>> > >>>>>>> Regards > >>>>>>> Nick Lothian > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Mailing list: https://launchpad.net/~openstack > >>>>>>> Post to : [email protected] > >>>>>>> Unsubscribe : https://launchpad.net/~openstack > >>>>>>> More help : https://help.launchpad.net/ListHelp > >>>>>>> > >>>>> _______________________________________________ > >>>>> Mailing list: https://launchpad.net/~openstack > >>>>> Post to : [email protected] > >>>>> Unsubscribe : https://launchpad.net/~openstack > >>>>> More help : https://help.launchpad.net/ListHelp > >>>>> > >>>> _______________________________________________ > >>>> Mailing list: https://launchpad.net/~openstack > >>>> Post to : [email protected] > >>>> Unsubscribe : https://launchpad.net/~openstack > >>>> More help : https://help.launchpad.net/ListHelp > >>> > >>> _______________________________________________ > >>> Mailing list: https://launchpad.net/~openstack > >>> Post to : [email protected] > >>> Unsubscribe : https://launchpad.net/~openstack > >>> More help : https://help.launchpad.net/ListHelp > > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
