<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span style="background-color:rgba(255,255,255,0)">Thank you for a really interesting discussion. You can code something and think you planned for everything, but there is always a corner case to keep you in check! I think adding ppk is a fine idea, but definitely something that needs to be custom developed and thought through. Hopefully the lack of it won't be a blocker for refstack. </span><br><br>Thanks,<div>Jimmy McArthur <<a href="mailto:jimmy@tipit.net">jimmy@tipit.net</a>></div><div>512.965.4846</div><div><br></div></div><div><br>On Apr 23, 2015, at 2:58 PM, Sergey Slypushenko <<a href="mailto:sslypushenko@mirantis.com">sslypushenko@mirantis.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div>It is interesting, that it is possible to receive OpenID token just with curl and a parser. In any way, for successful authorization with curl you should put our OpenID credentials in CLI. It is requires deep trust to our application (which we actually we don't have). We try to avoid that kind of issues. </div><div><br></div><div>We decided to change authorization with OpenID creds to auth with pubkeys for CLI client. It is a single reason why refstack needs pubkeys management. So, here we don't discuss a way how to manage pubkeys with OpenStackID. I mentioned pubkeys only as a alternative for CLI auth. It would be great if some other appropriate alternative exists.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 23, 2015 at 7:43 PM, Jimmy Mcarthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">No question openID and
oAuth are meant as web solutions. OpenStackID was designed for
integration, authentication, and data auth for OpenStack web projects.
Leaving public key auth aside for a moment, it's still possible with
curl and a parser to authenticate from the command line by posting to
openID, receiving a token, then posting back to oAuth for authorization.
Maybe it's not pretty, but it's working within the confines of
OpenStackID as it exists.<br>
<br>
Could we/should we talk about adding ppk to OpenStackID is probably a
separate discussion that should be had. One which you've started here:
<a href="http://lists.openstack.org/pipermail/openstack-infra/2015-April/002673.html" target="_blank">http://lists.openstack.org/pipermail/openstack-infra/2015-April/002673.html</a><br>
<br>
IMO, it would be best to work within the existing system, even if it's a
bit cumbersome, and discuss how we can improve or change OpenStackID
once we get additional community input on the need for ppk. <br><div><div class="h5">
<br>
<br>
<br>
<br>
<br>
Sergey Slypushenko wrote:
<blockquote type="cite">
<div dir="ltr"><div><div>Thanks that our discussion was brought back
to mailing list.</div><div><br></div><div>The most hard use case here is
providing access to some private resources from CLI client without
using any GUI tools. As far as you understand, CLI tool can not pass
through common OpenID auth procedure without workarounds(like opening
browser, for example). Also, I think that passing user creds in CLI
client it isn't appropriate solution, too.</div><div><br></div><div>Using
key pairs for auth from CLI looks like a good solution, because any
sensitive information won't be shared in this case. Also it should be
pretty secure. As for me, main disadvantage of this kind of auth, that
it is not implemented in OpenID/oAuth workflow(or I don't know about
that). Maybe I am missing something about OpenID/oAuth?</div><div class="gmail_extra"><br><div class="gmail_quote">On. Wed, Apr 22, 2015
at 11:28 PM, Jimmy McArthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span>
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Sergey,<div><br></div><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I looks like this mailing thread is broken. I didn't receive
your response.</div></blockquote><div> </div></span><div>I think a lot
of the responses aren't getting through b/c the Infra list was dropped
from the discussion. I think it's important to have this discussion on a
public forum, so adding back in. </div><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>We thought about using tokens generated
by OpenstackID, but I didn't find how a CLI client can get such kind of
token.</div><div>If you know how to get oAuth token from CLI tool,
please shared it with me.</div></div></blockquote><div> </div></span><div><div>At
the moment, we have not implemented that oauth2 workflow: <a href="https://tools.ietf.org/html/rfc6749#section-4.3" target="_blank">https://tools.ietf.org/html/rfc6749#section-4.3</a>
There are some security concerns about passing credentials:</div></div><div><br></div><div><pre style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
</pre><pre style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"> application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
</pre></div><div><br></div><div>As you can see, this is doable, but not
something we'd prefer for security reasons. Perhaps if you could clarify
the use case? Maybe with a bit more information, we could understand
why you need to get a token for the CLI app. It feels like this is still
a desire to use oauth2 for some type of authentication. </div><div><div><div><div><br></div><div><div><br></div><div class="gmail_extra"><div><div dir="ltr">--<br><div style="color:rgb(136,136,136);margin-right:24px"><span style="color:rgb(0,0,0)">Jimmy McArthur / </span><a href="http://tipit.net/" style="color:rgb(0,0,0)" target="_blank">Tipit.net</a><span style="color:rgb(0,0,0)"> < </span><a href="mailto:jimmy@tipit.net" style="color:rgb(0,0,0)" target="_blank">jimmy@tipit.net</a><span style="color:rgb(0,0,0)">></span><br><a href="tel:512.965.4846" value="+15129654846" target="_blank">512.965.4846</a></div><div><br></div></div></div></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015
at 6:49 PM, Sergey Slypushenko <span dir="ltr"><<a href="mailto:sslypushenko@mirantis.com" target="_blank">sslypushenko@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Jimmy,<br><br>Thank you for your comment! That diagram was
kind of outdated. I have updated it already.<div> </div><div>We are
planning to use OpenID for authentication and we have been already
working on it.<br><br>Regards,<br>Sergey<br><div><br></div><div><br></div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015
at 6:30 PM, Jimmy McArthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span>
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Sergey,<div><br></div><div>The biggest thing that stands out
is the lack of authentication through OpenID. It appears that you're
still authenticating through oAuth2, which is against security best
practices and not how OpenStackID is designed. For a primer on the
difference and why it's set up this way: <a href="http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/" target="_blank">http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/</a>
(forgive the title, but it does a nice job of illustrating the issue)</div><div><br></div><div>I'm
adding Sebastian here to chime in on potential technical details and
the possibility of setting up your own resource server. The important
thing though is to follow the steps outlined in the OpenStackID
documentation for proper authentication.</div><div><br></div><div class="gmail_extra"><div><div><div dir="ltr">--<br><div style="color:rgb(136,136,136);margin-right:24px"><span style="color:rgb(0,0,0)">Jimmy McArthur / </span><a style="color:rgb(0,0,0)" href="http://Tipit.net" target="_blank">Tipit.net</a><span style="color:rgb(0,0,0)"> < </span><a style="color:rgb(0,0,0)" href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a><span style="color:rgb(0,0,0)">></span><br><a href="tel:512.965.4846" value="+15129654846" target="_blank">512.965.4846</a>
<div><br></div></div></div></div></div>
<br><div class="gmail_quote"><div><div>On Thu, Apr 16, 2015 at 4:49 AM,
Sergey Slypushenko <span dir="ltr"><<a href="mailto:sslypushenko@mirantis.com" target="_blank">sslypushenko@mirantis.com</a>></span>
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr">Here you can find slides with general user stories: <div><ul><li>create
user account</li><li>access to resource required user auth in Web UI<br></li><li>access
to resource required user auth in CLI client</li></ul><div><a href="https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0" target="_blank">https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0</a><br></div></div><div><br></div><div>Any
comments related to this topic will be very appreciated.</div><div><br></div><div><div style="font-size:12.8000001907349px">Regards,</div><div style="font-size:12.8000001907349px">Sergey Slipushenko,</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">Software Developer,</div><div style="font-size:12.8000001907349px">Kharkiv, Ukraine,</div><div style="font-size:12.8000001907349px">Mirantis Inc.</div></div><div><br></div></div>
<br></div></div>_______________________________________________<br>
OpenStack-Infra mailing list<br>
<a href="mailto:OpenStack-Infra@lists.openstack.org" target="_blank">OpenStack-Infra@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a><br>
<br></blockquote></div><br></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div></div></div>
</blockquote>
</div></div></div>
</blockquote></div><br></div>
</div></blockquote></body></html>