Tuesday, 2020/09/22
10:00 am ET
Terrell Russell, Jason Coposky, Kory Draughn, Alan King, Daniel Moore, Stefan Wolfsheimer (SURFsara), Mike Conway (NIEHS), Ton Smeele (Utrecht University), Claudio Cacciari (SURFsara)
DISCUSSION
- Discussed last month's update and progress
- SURF still have a couple open questions on the client side
- working - stored JSON on client side, set of responses from IDP/PAM service, allow reuse with the iRODS service until it times out itself… but if expired token, then re-authenticate via PAM
- No encryption of the token on client side… yet
- Possible single-signout / logout
- How to disable/invalidate existing tokens
- May be protocol-dependent
- Should it be 'iexit' that does this? Some other operation/endpoint?
- Is there ever a use case for leaving the temporary password in the iRODS table… no, safer to always get rid of it - force them to reauthenticate anyhow.
- Eventually/Now - move to JWTs for all tokens we handle inhouse
- Would replace the current temporary passwords / .irodsA files
- Already encrypted on the client, well-supported by existing libraries
- Are we just recreating keycloak? (or punt to it?)
- Nice intro to OAuth2 and OIDC - https://youtu.be/996OiexHze0
- Possible move SURF external PAM handshake service to set of iRODS microservices that can be called from the server-side auth plugin - and this removes the need for the external software.
- Use blackboard pattern - shared state
- https://github.com/irods/irods/blob/master/lib/core/include/experimental_plugin_framework.hpp#L169
- Want to make sure all the icommands can pick up and retry on an expired token
- getenv() should be able to return the name of the requesting client (icp/iput, etc)
- Can store this in the shared state, send it back to the server
- Investigate going all in on keycloak
- No new code!