Adam
I agree with you
David
On 18/09/2014 17:17, Adam Young wrote:
> On 09/17/2014 11:53 AM, Marek Denis wrote:
>> Hi,
>>
>> First of all, we should clarify whether your JS client wants to
>> implement ECP or WebSSO workflow. They are slightly different.
>
> ECP seems to be poorly supported in li
On 09/17/2014 11:56 AM, Matthieu Huin wrote:
Hi,
- Original Message -
From: "Adam Young"
To: openstack-dev@lists.openstack.org
Sent: Wednesday, September 17, 2014 5:00:16 PM
Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation
On 09/17/2014 10:35 AM, Davi
On 09/17/2014 11:53 AM, Marek Denis wrote:
Hi,
First of all, we should clarify whether your JS client wants to
implement ECP or WebSSO workflow. They are slightly different.
ECP seems to be poorly supported in live deployments, and we cannot
count on it. WebSSO is the first round. We should
On 17/09/2014 16:53, Marek Denis wrote:
> Hi,
>
> First of all, we should clarify whether your JS client wants to
> implement ECP or WebSSO workflow. They are slightly different.
Our modification to Horizon uses WebSSO since this is the obvious
profile for a browser to use as it can handle redi
that a newer version will be uploaded very shortly as the above
> version contains partial VO documentation which will be stripped out
> until we can complete it later this month or next.
>
> regards
>
> David
>
>
>>
>>
>>>
>>> Tim
>>
Hi,
- Original Message -
> From: "Adam Young"
> To: openstack-dev@lists.openstack.org
> Sent: Wednesday, September 17, 2014 5:00:16 PM
> Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation
>
> On 09/17/2014 10:35 AM, David Chadwick wrote:
&
Hi,
First of all, we should clarify whether your JS client wants to
implement ECP or WebSSO workflow. They are slightly different.
I feel JS is smart enough to implement the ECP flow and then and it
could simply implement what we already have in the keystoneclient [0].
This + some "discovery
partial VO documentation which will be stripped out
until we can complete it later this month or next.
regards
David
>
>
>>
>> Tim
>>
>>> -Original Message-
>>> From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk]
>>> Sent: 17 September 2
On 09/17/2014 10:35 AM, David Chadwick wrote:
this would work as well, but wouldn't it require two different API calls?
I think it would be 2 calls no matter what.
OK, lets talk this through:
1. Configure Horizon to return a generic login page, with a button that
says "Or do Federated"
2.
[openstack-dev] [Keystone][Horizon] CORS and Federation
Hi Adam
Kristy has already added support to Horizon for federated login to Keystone. She
will send you details of how she did this.
One issue that arose was this:
in order to give the user the list of IDPs/protocols that are trusted, the ca
On 17/09/2014 15:14, Tim Bell wrote:
> Has Kristy's patch made it into Juno ?
>
>
> Tim
>
>> -Original Message-
>> From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk]
>> Sent: 17 September 2014 15:37
>> To: openstack-dev@lists.openstack.org
this would work as well, but wouldn't it require two different API calls?
On 17/09/2014 15:17, Adam Young wrote:
> On 09/17/2014 10:07 AM, David Chadwick wrote:
>>
>> On 17/09/2014 14:55, Marek Denis wrote:
>>>
>>> On 17.09.2014 15:45, Steve Martinelli wrote:
++ to your suggestion David, I th
Subject: Re: [openstack-dev] [Keystone][Horizon]
CORS and Federation
>
>
>
> On 17/09/2014 14:55, Marek Denis wrote:
> >
> >
> > On 17.09.2014 15:45, Steve Martinelli wrote:
> >> ++ to your suggestion David, I think making the list of trusted
IdPs
> &g
On 09/17/2014 10:07 AM, David Chadwick wrote:
On 17/09/2014 14:55, Marek Denis wrote:
On 17.09.2014 15:45, Steve Martinelli wrote:
++ to your suggestion David, I think making the list of trusted IdPs
publicly available makes sense.
I think this might be useful in an academic/science world bu
Has Kristy's patch made it into Juno ?
Tim
> -Original Message-
> From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk]
> Sent: 17 September 2014 15:37
> To: openstack-dev@lists.openstack.org; Kristy Siu
> Subject: Re: [openstack-dev] [Keystone][Horizon] CORS an
On 17/09/2014 14:55, Marek Denis wrote:
>
>
> On 17.09.2014 15:45, Steve Martinelli wrote:
>> ++ to your suggestion David, I think making the list of trusted IdPs
>> publicly available makes sense.
>
> I think this might be useful in an academic/science world but on the
> other hand most cloud
On 17.09.2014 15:45, Steve Martinelli wrote:
++ to your suggestion David, I think making the list of trusted IdPs
publicly available makes sense.
I think this might be useful in an academic/science world but on the
other hand most cloud providers from the 'business' world might be very
relu
penstack-dev] [Keystone][Horizon]
CORS and Federation
>
> Hi Adam
>
> Kristy has already added support to Horizon for federated login to
> Keystone. She will send you details of how she did this.
>
> One issue that arose was this:
> in order to give the user the list of ID
Hi Adam
Kristy has already added support to Horizon for federated login to
Keystone. She will send you details of how she did this.
One issue that arose was this:
in order to give the user the list of IDPs/protocols that are trusted,
the call to Keystone needs to be authenticated. But the user is
You're quite probably correct - going through the OWASP threat list in more
detail is on my TODO. That was just off the top of my head as something
that has me concerned but I've not investigated it thoroughly.
On 17 September 2014 14:15, Adam Young wrote:
> On 09/16/2014 08:56 PM, Richard Jone
On 09/16/2014 08:56 PM, Richard Jones wrote:
CORS for all of OpenStack is possible once the oslo middleware lands*,
but as you note it's only one of many elements to be considered when
exposing the APIs to browsers. There is no current support for CSRF
protection in the OpenStack APIs, for exam
On 09/16/2014 06:59 PM, Gabriel Hurley wrote:
This is generally the right plan. The hard parts are in getting people to
deploy it correctly and securely, and handling fallback cases for lack of
browser support, etc.
Do we really care about Browser support? I mean, are we really going to
have
CORS for all of OpenStack is possible once the oslo middleware lands*, but
as you note it's only one of many elements to be considered when exposing
the APIs to browsers. There is no current support for CSRF protection in
the OpenStack APIs, for example. I believe that sort of functionality
belongs
This is generally the right plan. The hard parts are in getting people to
deploy it correctly and securely, and handling fallback cases for lack of
browser support, etc.
What we really don't want to do is to encourage people to set
"Access-Control-Allow-Origin: *" type headers or other such non
24 matches
Mail list logo
