<div dir="ltr">Sergey,<div><br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I looks like this mailing thread is broken. I didn't receive your response.</div></blockquote><div> </div><div>I think a lot of the responses aren't getting through b/c the Infra list was dropped from the discussion. I think it's important to have this discussion on a public forum, so adding back in. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>We thought about using tokens generated by OpenstackID, but I didn't find how a CLI client can get such kind of token.</div><div>If you know how to get oAuth token from CLI tool, please shared it with me.</div></div></blockquote><div> </div><div><div>At the moment, we have not implemented that oauth2 workflow: <a href="https://tools.ietf.org/html/rfc6749#section-4.3">https://tools.ietf.org/html/rfc6749#section-4.3</a> There are some security concerns about passing credentials:</div></div><div><br></div><div><pre class="" style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
</pre><pre class="" style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"> application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
</pre></div><div><br></div><div>As you can see, this is doable, but not something we'd prefer for security reasons. Perhaps if you could clarify the use case? Maybe with a bit more information, we could understand why you need to get a token for the CLI app. It feels like this is still a desire to use oauth2 for some type of authentication. </div><div><div><br></div><div><div><br></div><div class="gmail_extra"><div class="gmail_signature"><div dir="ltr">--<br><div style="color:rgb(136,136,136);margin-right:24px"><span style="color:rgb(0,0,0)">Jimmy McArthur / </span><a href="http://tipit.net/" target="_blank" style="color:rgb(0,0,0)">Tipit.net</a><span style="color:rgb(0,0,0)"> < </span><a href="mailto:jimmy@tipit.net" target="_blank" style="color:rgb(0,0,0)">jimmy@tipit.net</a><span style="color:rgb(0,0,0)">></span><br>512.965.4846</div><div><br></div></div></div></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015 at 6:49 PM, Sergey Slypushenko <span dir="ltr"><<a href="mailto:sslypushenko@mirantis.com" target="_blank">sslypushenko@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Jimmy,<br><br>Thank you for your comment! That diagram was kind of outdated. I have updated it already.<div> </div><div>We are planning to use OpenID for authentication and we have been already working on it.<br><br>Regards,<br>Sergey<br><div><br></div><div><br></div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Sergey,<div><br></div><div>The biggest thing that stands out is the lack of authentication through OpenID. It appears that you're still authenticating through oAuth2, which is against security best practices and not how OpenStackID is designed. For a primer on the difference and why it's set up this way: <a href="http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/" target="_blank">http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/</a> (forgive the title, but it does a nice job of illustrating the issue)</div><div><br></div><div>I'm adding Sebastian here to chime in on potential technical details and the possibility of setting up your own resource server. The important thing though is to follow the steps outlined in the OpenStackID documentation for proper authentication.</div><div><br></div><div class="gmail_extra"><div><div><div dir="ltr">--<br><div style="color:rgb(136,136,136);margin-right:24px"><span style="color:rgb(0,0,0)">Jimmy McArthur / </span><a style="color:rgb(0,0,0)" href="http://Tipit.net" target="_blank">Tipit.net</a><span style="color:rgb(0,0,0)"> < </span><a style="color:rgb(0,0,0)" href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a><span style="color:rgb(0,0,0)">></span><br><a href="tel:512.965.4846" value="+15129654846" target="_blank">512.965.4846</a>
<div><br></div></div></div></div></div>
<br><div class="gmail_quote"><div><div>On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko <span dir="ltr"><<a href="mailto:sslypushenko@mirantis.com" target="_blank">sslypushenko@mirantis.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr">Here you can find slides with general user stories: <div><ul><li>create user account</li><li>access to resource required user auth in Web UI<br></li><li>access to resource required user auth in CLI client</li></ul><div><a href="https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0" target="_blank">https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0</a><br></div></div><div><br></div><div>Any comments related to this topic will be very appreciated.</div><div><br></div><div><div style="font-size:12.8000001907349px">Regards,</div><div style="font-size:12.8000001907349px">Sergey Slipushenko,</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">Software Developer,</div><div style="font-size:12.8000001907349px">Kharkiv, Ukraine,</div><div style="font-size:12.8000001907349px">Mirantis Inc.</div></div><div><br></div></div>
<br></div></div>_______________________________________________<br>
OpenStack-Infra mailing list<br>
<a href="mailto:OpenStack-Infra@lists.openstack.org" target="_blank">OpenStack-Infra@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>