Single-Sign-On Profile: Next version

Brian Major major.brian at gmail.com
Mon Jul 12 19:53:11 CEST 2021 

Hi GWS,

In the last few interop meetings there has been much discussion on how we
can improve upon the Single-Sign-On Profile (SSO 2.0), especially in the
context of supporting authentication for non-browser clients, where
existing standards do not offer much help.

The current REC:  https://ivoa.net/documents/SSO/20170524/index.html

After a recent post-interop meeting we decided to get the next version
started with this email, listing the general changes required.  Comments
and feedback encouraged.

I think these slides from the last interop provide a decent review of
what's needed for non-browser authentication support:

    https://wiki.ivoa.net/internal/IVOA/InterOpMay2021GWS/AA-Updates.pdf

Here are the points, summarized:

1.  Updates and clarifications to Security Methods

    1a.  Separate SecurityMethods into two categories: 1) ways of obtaining
credentials and 2) ways credentials are accepted.  (Note that Mark T
pointed out that #cookie should be in the first group, not the second.)

    1b.  ivo://ivoa.net/sso#tls-with-password  -  Describe how to performs
a username/password POST to obtain a token

    1c.  ivo://ivoa.net/sso#token  -  Used by a service to advertise that
tokens are accepted

    1d.  Provide examples of using each of the security methods

2.  Authentication discovery -- allow non-browser clients to easily and
programatically discover and obtain token credentials.

    2a.  Providing a bootstrap mechanism for discovering a service's
authentication support.  Please comment in the thread started by Mark
Taylor on this topic a few weeks ago, here:
http://mail.ivoa.net/pipermail/grid/2021-June/003103.html

    2b.  Use of the WWW-Authenticate header
        - to convey details on obtaining tokens
        - to convey auth failures

    2c.  Use of the Authorization header
        - by clients to provide token credentials

    2d.  Use of the X-VO-Authenticated header.
        - to communicate authentication success

---
Cheers,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/grid/attachments/20210712/f62e25cd/attachment.html>

More information about the grid mailing list