Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-18 Thread Adam Young
On 09/17/2014 11:56 AM, Matthieu Huin wrote: Hi, - Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Wednesday, September 17, 2014 5:00:16 PM Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation On 09/17/2014 10:35 AM

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-18 Thread David Chadwick
Adam I agree with you David On 18/09/2014 17:17, Adam Young wrote: On 09/17/2014 11:53 AM, Marek Denis wrote: Hi, First of all, we should clarify whether your JS client wants to implement ECP or WebSSO workflow. They are slightly different. ECP seems to be poorly supported in live

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Richard Jones
You're quite probably correct - going through the OWASP threat list in more detail is on my TODO. That was just off the top of my head as something that has me concerned but I've not investigated it thoroughly. On 17 September 2014 14:15, Adam Young ayo...@redhat.com wrote: On 09/16/2014 08:56

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
Hi Adam Kristy has already added support to Horizon for federated login to Keystone. She will send you details of how she did this. One issue that arose was this: in order to give the user the list of IDPs/protocols that are trusted, the call to Keystone needs to be authenticated. But the user

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Steve Martinelli
@kent.ac.uk, Date: 09/17/2014 09:42 AM Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation Hi Adam Kristy has already added support to Horizon for federated login to Keystone. She will send you details of how she did this. One issue that arose was this: in order to give

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Marek Denis
On 17.09.2014 15:45, Steve Martinelli wrote: ++ to your suggestion David, I think making the list of trusted IdPs publicly available makes sense. I think this might be useful in an academic/science world but on the other hand most cloud providers from the 'business' world might be very

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
On 17/09/2014 14:55, Marek Denis wrote: On 17.09.2014 15:45, Steve Martinelli wrote: ++ to your suggestion David, I think making the list of trusted IdPs publicly available makes sense. I think this might be useful in an academic/science world but on the other hand most cloud

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Tim Bell
Has Kristy's patch made it into Juno ? Tim -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: 17 September 2014 15:37 To: openstack-dev@lists.openstack.org; Kristy Siu Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation Hi Adam

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Adam Young
On 09/17/2014 10:07 AM, David Chadwick wrote: On 17/09/2014 14:55, Marek Denis wrote: On 17.09.2014 15:45, Steve Martinelli wrote: ++ to your suggestion David, I think making the list of trusted IdPs publicly available makes sense. I think this might be useful in an academic/science world

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Steve Martinelli
, Date: 09/17/2014 10:10 AM Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation On 17/09/2014 14:55, Marek Denis wrote: On 17.09.2014 15:45, Steve Martinelli wrote: ++ to your suggestion David, I think making the list of trusted IdPs publicly available makes sense

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
this would work as well, but wouldn't it require two different API calls? On 17/09/2014 15:17, Adam Young wrote: On 09/17/2014 10:07 AM, David Chadwick wrote: On 17/09/2014 14:55, Marek Denis wrote: On 17.09.2014 15:45, Steve Martinelli wrote: ++ to your suggestion David, I think making the

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
/2014 15:14, Tim Bell wrote: Has Kristy's patch made it into Juno ? Tim -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: 17 September 2014 15:37 To: openstack-dev@lists.openstack.org; Kristy Siu Subject: Re: [openstack-dev] [Keystone][Horizon] CORS

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Adam Young
] [Keystone][Horizon] CORS and Federation Hi Adam Kristy has already added support to Horizon for federated login to Keystone. She will send you details of how she did this. One issue that arose was this: in order to give the user the list of IDPs/protocols that are trusted, the call to Keystone

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Adam Young
On 09/17/2014 10:35 AM, David Chadwick wrote: this would work as well, but wouldn't it require two different API calls? I think it would be 2 calls no matter what. OK, lets talk this through: 1. Configure Horizon to return a generic login page, with a button that says Or do Federated 2.

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
Tim -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: 17 September 2014 15:37 To: openstack-dev@lists.openstack.org; Kristy Siu Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation Hi Adam Kristy has already added support to Horizon

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Marek Denis
Hi, First of all, we should clarify whether your JS client wants to implement ECP or WebSSO workflow. They are slightly different. I feel JS is smart enough to implement the ECP flow and then and it could simply implement what we already have in the keystoneclient [0]. This + some discovery

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread Matthieu Huin
Hi, - Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Wednesday, September 17, 2014 5:00:16 PM Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation On 09/17/2014 10:35 AM, David Chadwick wrote: this would work

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread K . W . S . Siu
@lists.openstack.org; Kristy Siu Subject: Re: [openstack-dev] [Keystone][Horizon] CORS and Federation Hi Adam Kristy has already added support to Horizon for federated login to Keystone. She will send you details of how she did this. One issue that arose was this: in order to give

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-17 Thread David Chadwick
On 17/09/2014 16:53, Marek Denis wrote: Hi, First of all, we should clarify whether your JS client wants to implement ECP or WebSSO workflow. They are slightly different. Our modification to Horizon uses WebSSO since this is the obvious profile for a browser to use as it can handle

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-16 Thread Gabriel Hurley
This is generally the right plan. The hard parts are in getting people to deploy it correctly and securely, and handling fallback cases for lack of browser support, etc. What we really don't want to do is to encourage people to set Access-Control-Allow-Origin: * type headers or other such

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-16 Thread Adam Young
On 09/16/2014 06:59 PM, Gabriel Hurley wrote: This is generally the right plan. The hard parts are in getting people to deploy it correctly and securely, and handling fallback cases for lack of browser support, etc. Do we really care about Browser support? I mean, are we really going to have

Re: [openstack-dev] [Keystone][Horizon] CORS and Federation

2014-09-16 Thread Adam Young
On 09/16/2014 08:56 PM, Richard Jones wrote: CORS for all of OpenStack is possible once the oslo middleware lands*, but as you note it's only one of many elements to be considered when exposing the APIs to browsers. There is no current support for CSRF protection in the OpenStack APIs, for