On 2015-04-23 22:58:50 +0300 (+0300), Sergey Slypushenko wrote:
> We decided to change authorization with OpenID creds to auth with
> pubkeys for CLI client. It is a single reason why refstack needs
> pubkeys management. So, here we don't discuss a way how to manage
> pubkeys with OpenStackID. I me
Thank you for a really interesting discussion. You can code something and
think you planned for everything, but there is always a corner case to keep
you in check! I think adding ppk is a fine idea, but definitely something
that needs to be custom developed and thought through. Hopefully the lack
o
It is interesting, that it is possible to receive OpenID token just with
curl and a parser. In any way, for successful authorization with curl you
should put our OpenID credentials in CLI. It is requires deep trust to our
application (which we actually we don't have). We try to avoid that kind
of
No question openID and oAuth are meant as web solutions. OpenStackID was
designed for integration, authentication, and data auth for OpenStack
web projects. Leaving public key auth aside for a moment, it's still
possible with curl and a parser to authenticate from the command line by
posting to
Thanks that our discussion was brought back to mailing list.
The most hard use case here is providing access to some private resources
from CLI client without using any GUI tools. As far as you understand, CLI
tool can not pass through common OpenID auth procedure without
workarounds(like opening
Sergey,
I looks like this mailing thread is broken. I didn't receive your response.
>
I think a lot of the responses aren't getting through b/c the Infra list
was dropped from the discussion. I think it's important to have this
discussion on a public forum, so adding back in.
>
> We thought abou
here u have more info about it
http://seclab.stanford.edu/websec/csrf/csrf.pdf
*To defend against these attacks, the Relying Party should generate a fresh
nonce at the start of the protocol, store the nonce in the browser’s cookie
store and include the nonce in the return_to parameter of the Open
hi Vlad, one thing that you could implement is to pass a "state" query
string param on value openid.return_to and associate it to use session,
once u return back to RP, the state param would be returned also and you
could check against it to prevent this kind of attacks
regards
On Tue, Apr 21,
Jimmy,
Thanks a lot for your efforts!
But how we can verify that data from OpenID endpoint received from an
openstackid.org endpoint rather than from somewhere else?
On Mon, Apr 20, 2015 at 8:20 PM, Jimmy Mcarthur wrote:
> Sergey,
>
> Great news! Thanks for the update on OpenID.
>
> Our other
Sergey,
Great news! Thanks for the update on OpenID.
Our other question is around the workflow for the Authorization tokens.
It seems like you're bypassing oAuth2 on OpenStackID in order to manage
the authorization on the refstack client. Why not utilize OpenStackID
for both openid and oAuth2
Here you can find slides with general user stories:
- create user account
- access to resource required user auth in Web UI
- access to resource required user auth in CLI client
https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0
11 matches
Mail list logo