OpenID and SSO
Mark Taylor
m.b.taylor at bristol.ac.uk
Thu May 5 10:50:37 CEST 2022
On the topic of OpenID authentication for non-browser clients that I
mentioned in my earlier email; although CADC currently issue a challenge
www-authenticate: ivoa_bearer standard_id="ivo://ivoa.net/sso#OpenID", access_url="https://ws-cadc.canfar.net/ac"
I understand from Brian that they don't really expect OpenID Connect
to be used by non-browser clients, and hence that it doesn't need to
be declared as a challenge in this way (and may therefore be withdrawn).
However, I understand from Alberto that ESO will require use of OpenID
for all clients wishing to authenticate, on the grounds that SSO via
tls-with-password or BasicAA, which involve presentation of username
and password to untrusted desktop clients, are insufficiently secure
to meet their policies.
Implementation of OpenID Connect-based authentication by non-browser
clients such as topcat is not impossible, but it probably requires
browser interaction as described by RFC8252 and therefore represents
a significant client implementation burden as well as having usability
impacts.
Mark
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bristol.ac.uk http://www.star.bristol.ac.uk/~mbt/
More information about the grid
mailing list