<div dir="ltr"><div><span class="gmail-HwtZe" lang="en"><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">Hi Mark, everyone, </span></span></span></div><div><span class="gmail-HwtZe" lang="en"><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">I really appreciate and accept Mark's offer.</span></span> <span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">I think he is the right person to describe in detail the authentication process for <span class="gmail_default" style="font-family:arial,sans-serif;font-size:small">non-browser</span> clients, thanks to his expertise and experience in implementation (experience that I do not have, which was evident to me when I tried to write the document).</span></span><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb"> </span></span></span></div><div><span class="gmail-HwtZe" lang="en"><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">The work I have done so far is available at <a href="https://github.com/bertocco/IVOA-Authentication-Process">https://github.com/bertocco/IVOA-Authentication-Process</a>.</span></span><span class="gmail-jCAhz"><span class="gmail-ryNqvb">
It is a draft, an attempt to merge the wiki and presentations done so far on the topic at the latest Interops.</span></span> <span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">Maybe<span class="gmail_default" style="font-family:arial,sans-serif;font-size:small">,</span> something can be reused.</span></span><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb"> </span></span></span></div><div><span class="gmail-HwtZe" lang="en"><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb">Mark, I leave the floor to you and, if I can be useful (re<span class="gmail_default" style="font-family:arial,sans-serif;font-size:small">-</span>reading the document or helping with some section), I am available.</span></span><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb"> </span></span></span></div><div><span class="gmail-HwtZe" lang="en"><span class="gmail-jCAhz gmail-ChMk0b"><span class="gmail-ryNqvb"><span class="gmail_default" style="font-family:arial,sans-serif;font-size:small">Cheers</span>, Sara</span></span></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 24, 2025 at 3:33 PM Mark Taylor via dsp <<a href="mailto:dsp@ivoa.net" target="_blank">dsp@ivoa.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dear DSP/GWS/GRID,<br>
<br>
TL;DR:<br>
------<br>
<br>
Has there been any progress on the (tentatively-named) IVOA-IAM<br>
document suggested in Malta by Sara?<br>
<br>
If not, should I volunteer to draft such a document for review?<br>
<br>
<br>
Details:<br>
--------<br>
<br>
Concerning how to allow non-browser clients to authenticate against<br>
VO services, we have had presentations with essentially the same<br>
technical content at several interops in recent years:<br>
<br>
Sara B: SSO_next open discussion (Malta 11/2024):<br>
<a href="https://wiki.ivoa.net/internal/IVOA/InterOpNov2024GWS/Interop_Malta_2024_Sara_Bertocco.pdf" rel="noreferrer" target="_blank">https://wiki.ivoa.net/internal/IVOA/InterOpNov2024GWS/Interop_Malta_2024_Sara_Bertocco.pdf</a><br>
<br>
Mark T: Authentication in TOPCAT (Tucson 11/2023):<br>
<a href="https://wiki.ivoa.net/internal/IVOA/InterOpNov2023Apps/auth.pdf" rel="noreferrer" target="_blank">https://wiki.ivoa.net/internal/IVOA/InterOpNov2023Apps/auth.pdf</a><br>
<br>
Mark T: Authentication for non-browser clients: progress (online 04/2022):<br>
<a href="https://wiki.ivoa.net/internal/IVOA/InterOpApr2022GWS/auth.pdf" rel="noreferrer" target="_blank">https://wiki.ivoa.net/internal/IVOA/InterOpApr2022GWS/auth.pdf</a><br>
<br>
In summary these address the problem of how non-browser clients<br>
can discover and use an authentication method when pointed at a<br>
(e.g. TAP or DataLink) service without having out-of-band knowledge<br>
about such a service. The answer is, briefly, to do the following:<br>
<br>
- use www-authenticate headers, in line with RFC 7235<br>
<br>
- probe the capabilities endpoint prior to using TAP,<br>
in order to get such a header<br>
<br>
- optionally use ivoa-defined www-authenticate schemes for<br>
auth method discovery (ivoa_cookie, ivoa_x509, maybe something<br>
for use with bearer tokens TBD) - though Basic Auth over HTTPS<br>
with or without out-of-band knowledge is also a possibility<br>
<br>
Concerns were raised in discussion in Malta that since much of the<br>
authentication infrastructure is out of our hands, the approach of<br>
defining our own www-authenticate schemes may run into problems.<br>
I don't understand the wider picture well enough to know how true<br>
that is, but such custom schemes are already in place and working<br>
in production services at ESAC (using ivoa_cookie for e.g. Gaia,<br>
Euclid, PDS TAP and DataLink services) and at CADC (using ivoa_x509 -<br>
currently a bit broken, but it was working), so we have a proof<br>
by example that it works in at least some contexts.<br>
DaCHS also uses the above outline, but with the standard Basic Auth<br>
authentication scheme. An approach which uses part of this proposal<br>
(probe TAP capabilities endpoint to initiate authentication prior<br>
to TAP usage, but use the standard Basic Auth scheme with a token<br>
acquired out-of-band) is in use at Rubin<br>
(<a href="https://rsp.lsst.io/v/usdfdev/guides/auth/using-topcat-outside-rsp.html" rel="noreferrer" target="_blank">https://rsp.lsst.io/v/usdfdev/guides/auth/using-topcat-outside-rsp.html</a>)<br>
<br>
So: no service is required to use any non-standard (VO-specific)<br>
prescriptions offered here, but those prescriptions are in<br>
operational use in some services and solving problems that do not<br>
otherwise have solutions.<br>
<br>
Implementation on the client side is available at least in the AUTH<br>
library used by TOPCAT/STILTS (available as a standalone no-dependency<br>
java library). I don't know whether there are implementations<br>
in other applications or libraries.<br>
<br>
These client- and server-side implementations have been in place<br>
and in production use for more than a year, but standardisation seems<br>
to have stagnated. At present, documentation for the proposal<br>
is scattered and inconsistent; it's in the somewhat outdated<br>
<a href="https://wiki.ivoa.net/twiki/bin/view/IVOA/SSO_next" rel="noreferrer" target="_blank">https://wiki.ivoa.net/twiki/bin/view/IVOA/SSO_next</a> wiki page,<br>
in the presentations listed above, and in running code.<br>
Some of the content is also in the current unpublished github draft<br>
of the SSO document thanks to a PR written by Brian Major<br>
(<a href="https://github.com/ivoa-std/SSO/pull/10" rel="noreferrer" target="_blank">https://github.com/ivoa-std/SSO/pull/10</a>, merged in May 2022),<br>
but it may require further review, and Sara's suggestion in Malta<br>
(which I agree with) is for a new document with a different name<br>
and reduced scope.<br>
<br>
There is some more work to do on the proposal (better documentation<br>
of authentication scope for certain schemes, some way to integrate OAuth)<br>
but to me there's enough there to make it worth documenting properly<br>
in its current state, at least in draft form.<br>
<br>
I could make a presentation on all this at the upcoming interop,<br>
but it would mostly just repeat what's been said before, so<br>
I don't feel that on its own that would constitute progress.<br>
<br>
Are there plans in place to move this forward? If not, how do<br>
DSP chair/vice-chair/members feel about me volunteering to draft<br>
a (probably quite short) Note or a REC-track document documenting<br>
the proposal for review by other DSP members? I *might* manage<br>
to have a draft ready by the interop.<br>
<br>
Mark<br>
<br>
--<br>
Mark Taylor Astronomical Programmer Physics, Bristol University, UK<br>
<a href="mailto:m.b.taylor@bristol.ac.uk" target="_blank">m.b.taylor@bristol.ac.uk</a> <a href="https://www.star.bristol.ac.uk/mbt/" rel="noreferrer" target="_blank">https://www.star.bristol.ac.uk/mbt/</a><br>
</blockquote></div>