TAP/UWS authentication - short survey

matthias egger megger at MPA-Garching.MPG.DE
Thu Aug 11 07:52:14 PDT 2011 

Hi All,

thanks for all your responses. i'll try to summarize in short:
as expected there are all sorts of tap services deployed, some are
completely public, some with optional login, some fully protected.


1) preferences of security methods:

from what i got one could NOT infer any preference of one security
method over another.

most mentioned were x.509 certificates, quite equally in both flavors:
- we are using them as our primary security method
- we don't and won't use and don't recommend them

so here we meet again the well-known pro and cons of x.509 certificates.

we (MPA) also want to stay with username/password authentication and not use user-certificates (if
we can avoid it).


1.1) SSO, openID

further, in the future we'd like to provide some convenient SSO over all our web services for our
users (username/password based).

for the sake of conformity we'd go for the one which is most widely used throughout ivoa, there was
some mentioning of openID:
  * VAO is working on an OpenID system tied to their existing X.509 service
  * others seem to be interested in it, too

so we would like to hook into that approach.



2) service interoperability without certificates, OAuth

not using user (proxy-)certificates bears two challenges for service interoperability:
  * authentication
  * and esp: delegation-of-trust


2.1 authentication: tls-with-password

looking into the ivoa SSO-authMech document, i find it leaves the details of
securityMethod:tls-with-password quite open.
- or have i just missed it somewhere?

so i wonder whether it would make sense in the course of a future discussion to come up with say an
extension to 'tls-with-password' which would "clearly" describe the details/metadata of that
security-method in place?

with the goal that also protected services could be properly accessed by means of interpreting the
security-method metadata (beyond "just" tls-with-certificates).



2.2 delegation-of-trust

while that scenario is well covered with proxy-certificates,
it is not-at-all with a username/password authn.

so the only solution for the latter i heard of yet would be applying OAuth(2).
as i understand, this is what it's designed for.

has someone any experience with it already?
or are there any known constraints why it would not fit within the ivoa infrastructure?



3) TOPCAT and TAP

background of the question was how to allow TOPCAT connecting to a
protected tap service.

currently there seems no clear preference for a security method and the mechanics are not clear (see
2.1).

so we decided to be pragmatic for now and Mark Taylor has been so nice to build in
a rudimental support for (http) BASIC in TOPCAT as an _semi-official_ add-on.

it will be part of the next topcat release, you can try it out by
downloading the pre-release version from:
ftp://andromeda.star.bris.ac.uk/pub/star/topcat/pre/

see below the cite of Mark's documentation and comments.


thanks and regards,
matthias



On 08/10/11 14:04, Mark Taylor wrote:
> I've made some changes to TOPCAT and STILTS.
> They now take notice of two new system properties,
>
>    star.basicauth.user
>    star.basicauth.password
>
> Here is the documentation:
>
>    <dt><code>star.basicauth.user</code></dt>
>    <dt><code>star.basicauth.password</code></dt>
>    <dd><p>If set, these will provide username and password for HTTP Basic
>        Authentication.  Any time the application attempts to access an
>        HTTP URL and is met by a 401 Unauthorized response, it will try again
>        supplying these user credentials.  This is a rather blunt instrument,
>        since the same identity is supplied regardless of which URL is being
>        accessed, but it may be of some use in accessing basic-authentication
>        protected services.  This mechanism is experimental, and may be
>        modified or withdrawn in future versions.
>        </p></dd>
>
> So if somebody has, say, an SSA service with basic auth, it will work
> for that too.
>
> You can set the system properties in the usual way as explained at
>    http://www.starlink.ac.uk/topcat/sun253/jvmProperties.html
> either on the command line
> (topcat -Dstar.basicauth.user=mtaylor -Dstar.basicauth.password=xxx)
> or in a .starjava.properties file in your home directory
> (containing the lines:
> star.basicauth.user=mtaylor
> star.basicauth.password=xxx
> ).
>
> As noted this is not very elegant or scalable: for instance there's
> no way of using the same instance of TOPCAT to access two different
> services with different basic auth user/passwords.  For that reason
> I'm marking it as experimental and I'm not going to emphasise it in
> the documentation.  It's up to you how officially you want to
> recommend it to your users.
>
> It would be possible to modify the mechanism in future so that different
> basic auth identities are used for different services, possibly
> with some sort of GUI for setting it up, but this would be quite
> a bit more implementation effort.  I'd do it if it looked like lots
> of services had a requirement to use basic auth, but it's not clear
> now that that is the case.
>
> There's one other issue: although I haven't tested it I think there may
> be a problem with getting this to work for table uploads in TAP,
> for somewhat complicated reasons to do with streaming of large
> uploaded tables.  I don't know whether you are planning to offer
> uploads in your TAP service.

----------------------------------------



On 08/08/11 18:43, matthias egger wrote:
> 
> Hi DAL/Grid List Members,
> 
> in the course of (beta-) testing our TAP service with TOPCAT we again
> came across the topic of authentication and SSO.
> 
> we need to protect our web services with a user-login, while TOPCAT's
> TAP interface currently does not support this.
> 
> we wonder know, what is the best practice there in the context of ivoa,
> tap/uws?
> 
> 
> so i'd like to start a short discussion/survey about whether some of you
> have similar requirements and esp. which  - if any - authentication
> system you are currently using, and possibly whether you also use
> distributed (web-) SSO protocols like SAML2 or openID.
> 
> in short:
> 
> * do you run a TAP service which requires authentication
> 
> * if yes: which authentication method/system do you use:
> 
>   * (HTTP) BASIC
> 
>   * FORM-Based
> 
>   * X.509 Certificates
> 
>   * SAML2
> 
>   * OpenID
> 
>   * other: ?
> 
> 
> background is that we need to put security on top of our
> web-applications (also considering frameworks like openID and
> SAML2/Shibboleth) and would like to hear what is most common and
> recommend in ivoa,
> also whether it is worth implementing (most common web-) authentication
> support in client tools e.g. TOPCAT.
> 
> 
> any feedback is every welcome.
> 
> thanks and regards! matthias
> 
> 
> 

-- 
--------------------------------------------------
Matthias Egger
Max Planck Institute for Astrophysics
web:    www.mpa-garching.mpg.de
email:	megger at mpa-garching.mpg.de
fon:	+49-89-30000-2040
fax:    +49-89-30000-2235
--------------------------------------------------

More information about the grid mailing list