Authentication - Potential around a credential store/API

Van Klaveren, Brian N. bvan at slac.stanford.edu
Thu Mar 28 18:37:30 CET 2019 

Hi All,

Honestly I'm not sure if this should be in Apps or GWS, but since I had mostly been thinking about this in the context of SSO I'll send it to GWS.

I was playing around with hacking up PyVO for authentication, and realized that it's one-client approach meant we could accidentally send credentials from one provider to different providers. So at first I wrapped the pyvo.utils.http.session.request method which introspected the URL and would only apply auth if the request was to our domain.

This is again, fine, if you're only talking to one service/instance at a time, but we have prod and test instances, and the credentials aren't exactly the same, so that code would need to be more complicated.

So, there's at least three ways to go about this:
 - the astroquery way, which I think means the client is specific to the backend, and you explicitly "login" for each one; or
 - a generic client that is configured with an authentication mechanism that can introspect the URL and apply credentials as appropriate (this seems typical - it's the case with pyvo via pyvo.); or
 - a generic meta-client that's is aware of properly configured backend clients, which can introspect the URL and select the client as appropriate

I know Mark talked on per-site authentication a bit at the last interop - I'm not sure what approach he was using (feel free to chime in).

I was thinking that it could be useful to have a generic credential manager and API, similar to git-credential-store or git-credential-cache, for all three client strategies.

I did some light hacking with keyring [ https://pypi.org/project/keyring/ ], to see what would be a secure way to store credentials, out of curiosity regarding this:
https://gist.github.com/brianv0/34ecaac33ee5892caeb46d29364c7d14

In that gist
• There's a yaml that roughly corresponds to a way of describing credentials
• A user must declare the authentication context to the CredentialHelper. This is mostly because there's not an easy way to list credentials
  - but the credentials could just be stored in one giant blob for the entire application
• The CredentialHelper can tell you which credentials to use for a given URL.
• If PyVO was using this, for example, might call `get_credential` for every URL and modify the auth object for it's `pyvo.util.http.session.request` as appropriate

Anyway, I thought I'd just post these ideas to see if they are interesting to anyone. From an interop standpoint - an IVOA credential manager could be useful as more authenticated services come online, and it might mean less futzing for users that may be accessing multiple authenticated endpoints on TOPCAT, and PyVO or astroquery, for example.

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/grid/attachments/20190328/c5510bd7/attachment.html>

More information about the grid mailing list