[OpenStack-Infra] Refstack workflow discussion. Using OpenstackID as auth provider for application with Web UI and CLI client

Vladislav Kuzmin vkuzmin at mirantis.com
Tue Apr 21 14:28:30 UTC 2015


Jimmy,

Thanks a lot for your efforts!

But how we can verify that data from OpenID endpoint received from an
openstackid.org endpoint rather than from somewhere else?

On Mon, Apr 20, 2015 at 8:20 PM, Jimmy Mcarthur <jimmy at tipit.net> wrote:

> Sergey,
>
> Great news! Thanks for the update on OpenID.
>
> Our other question is around the workflow for the Authorization tokens. It
> seems like you're bypassing oAuth2 on OpenStackID in order to manage the
> authorization on the refstack client. Why not utilize OpenStackID for both
> openid and oAuth2? Basically create the authorization tokens on the
> OpenStackID side and create your own resources server as gatekeeper of you
> API and validate oauth2 tokens against introspection endpoint (
> http://ci.openstack.org/openstackid/oauth2.html#token-introspection).
>
> Thoughts?
>
> Thanks,
> Jimmy
>
>
>
> Sergey Slypushenko wrote:
>
> Jimmy,
>
> Thank you for your comment! That diagram was kind of outdated. I have
> updated it already.
>
> We are planning to use OpenID for authentication and we have been already
> working on it.
>
> Regards,
> Sergey
>
>
>
> On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <jimmy at tipit.net> wrote:
>
>> Sergey,
>>
>> The biggest thing that stands out is the lack of authentication through
>> OpenID. It appears that you're still authenticating through oAuth2, which
>> is against security best practices and not how OpenStackID is designed. For
>> a primer on the difference and why it's set up this way:
>> http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
>> (forgive the title, but it does a nice job of illustrating the issue)
>>
>> I'm adding Sebastian here to chime in on potential technical details and
>> the possibility of setting up your own resource server. The important thing
>> though is to follow the steps outlined in the OpenStackID documentation for
>> proper authentication.
>>
>> --
>> Jimmy McArthur / Tipit.net < jimmy at tipit.net>
>> 512.965.4846
>>
>>
>> On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko <
>> sslypushenko at mirantis.com> wrote:
>>
>>> Here you can find slides with general user stories:
>>>
>>>    - create user account
>>>    - access to resource required user auth in Web UI
>>>    - access to resource required user auth in CLI client
>>>
>>>
>>> https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0
>>>
>>> Any comments related to this topic will be very appreciated.
>>>
>>> Regards,
>>> Sergey Slipushenko,
>>>
>>> Software Developer,
>>> Kharkiv, Ukraine,
>>> Mirantis Inc.
>>>
>>>
>>> _______________________________________________
>>> OpenStack-Infra mailing list
>>> OpenStack-Infra at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>>>
>>>
>>
>
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20150421/929b2b79/attachment.html>


More information about the OpenStack-Infra mailing list