[OpenStack-Infra] Refstack workflow discussion. Using OpenstackID as auth provider for application with Web UI and CLI client

Sebastian Marcet sebastian at tipit.net
Tue Apr 21 16:04:18 UTC 2015


here u have more info about it

http://seclab.stanford.edu/websec/csrf/csrf.pdf

*To defend against these attacks, the Relying Party should generate a fresh
nonce at the start of the protocol, store the nonce in the browser’s cookie
store and include the nonce in the return_to parameter of the OpenID
protocol. Upon receiving a positive identity assertion from the user’s
Identity Provider, the Replying Party should validate that the nonce
included in the return_to URL matches the nonce stored the cookie store.
This defense is similar to the secret token validation technique and
ensures that the OpenID protocol session completes on the same browser as
it began.*

regards

On Tue, Apr 21, 2015 at 12:08 PM, Sebastian Marcet <sebastian at tipit.net>
wrote:

> hi Vlad, one thing that you could implement is to pass a "state" query
> string param on value openid.return_to and associate it to use session,
> once u return back to RP, the state param would be returned also and you
> could check against it to prevent this kind of attacks
>
> regards
>
>
>
> On Tue, Apr 21, 2015 at 11:28 AM, Vladislav Kuzmin <vkuzmin at mirantis.com>
> wrote:
>
>> Jimmy,
>>
>> Thanks a lot for your efforts!
>>
>> But how we can verify that data from OpenID endpoint received from an
>> openstackid.org endpoint rather than from somewhere else?
>>
>> On Mon, Apr 20, 2015 at 8:20 PM, Jimmy Mcarthur <jimmy at tipit.net> wrote:
>>
>>> Sergey,
>>>
>>> Great news! Thanks for the update on OpenID.
>>>
>>> Our other question is around the workflow for the Authorization tokens.
>>> It seems like you're bypassing oAuth2 on OpenStackID in order to manage the
>>> authorization on the refstack client. Why not utilize OpenStackID for both
>>> openid and oAuth2? Basically create the authorization tokens on the
>>> OpenStackID side and create your own resources server as gatekeeper of you
>>> API and validate oauth2 tokens against introspection endpoint (
>>> http://ci.openstack.org/openstackid/oauth2.html#token-introspection).
>>>
>>> Thoughts?
>>>
>>> Thanks,
>>> Jimmy
>>>
>>>
>>>
>>> Sergey Slypushenko wrote:
>>>
>>> Jimmy,
>>>
>>> Thank you for your comment! That diagram was kind of outdated. I have
>>> updated it already.
>>>
>>> We are planning to use OpenID for authentication and we have been
>>> already working on it.
>>>
>>> Regards,
>>> Sergey
>>>
>>>
>>>
>>> On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <jimmy at tipit.net> wrote:
>>>
>>>> Sergey,
>>>>
>>>> The biggest thing that stands out is the lack of authentication through
>>>> OpenID. It appears that you're still authenticating through oAuth2, which
>>>> is against security best practices and not how OpenStackID is designed. For
>>>> a primer on the difference and why it's set up this way:
>>>> http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
>>>> (forgive the title, but it does a nice job of illustrating the issue)
>>>>
>>>> I'm adding Sebastian here to chime in on potential technical details
>>>> and the possibility of setting up your own resource server. The important
>>>> thing though is to follow the steps outlined in the OpenStackID
>>>> documentation for proper authentication.
>>>>
>>>> --
>>>> Jimmy McArthur / Tipit.net < jimmy at tipit.net>
>>>> 512.965.4846
>>>>
>>>>
>>>> On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko <
>>>> sslypushenko at mirantis.com> wrote:
>>>>
>>>>> Here you can find slides with general user stories:
>>>>>
>>>>>    - create user account
>>>>>    - access to resource required user auth in Web UI
>>>>>    - access to resource required user auth in CLI client
>>>>>
>>>>>
>>>>> https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0
>>>>>
>>>>> Any comments related to this topic will be very appreciated.
>>>>>
>>>>> Regards,
>>>>> Sergey Slipushenko,
>>>>>
>>>>> Software Developer,
>>>>> Kharkiv, Ukraine,
>>>>> Mirantis Inc.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-Infra mailing list
>>>>> OpenStack-Infra at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-Infra mailing list
>>> OpenStack-Infra at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20150421/cd7bbcbd/attachment-0001.html>


More information about the OpenStack-Infra mailing list