OpenID and SSO

Fri May 6 01:25:34 CEST 2022

It is true that on the one hand we tell everyone "if a web site asks for
your user name and password for some other site, it's a phishing attack"
and I suppose a lot of this is based on now thinking that applications are
by definition no longer to be trusted. The part I don't like about it is
that it's the user that should make that (hopefully informed) call about
trusting topcat (or not :-)) but that's not how things work anymore. The
world of mobile "apps" has blurred the line between web sites and your own
applications so now using an application that can do authentication is a
"phishing attack". #sigh

Probably a question for Alberto: How would/will ESO enable their users to
use applications like topcat, pyvo, astropy, etc to access their services
with auth?

I can think of several simple ways:
1. user authenticates in browser and then downloads a (bearer) token the
various tools can use
2. user authenticates in browser and then downloads proxy cert the various
tools can use

These can work; maybe ESO users will be OK with that. We (CADC/CANFAR) have
a link for #2 on our site when then user is logged in and we could have one
for #1 except users wouldn't know what to do with it (chicken-vs-egg
problem w.r.t the applications)... and really they should generate and
manage separate tokens for different things... like github, google, and
everyone else does now. So industry-wise it looks like #1 is the de facto
solution for this, but I find it a pain as a user.

Anyway, the solution for ESO and ESO users is probably #1, so topcat
probably needs to be able to read tokens (like certs) from a file or
command line or cut&paste into a text box. It's really ugh but somehow a
lot of people have been convinced that typing username and password into a
browser window is inherently more secure than into a topcat window and you
can trust one (*cough*google chrome*cough*) but not the other and you don't
get to choose.

Well, you can see that this topic annoys a lot :-)

--
Patrick Dowler
Canadian Astronomy Data Centre
Victoria, BC, Canada

On Thu, 5 May 2022 at 01:50, Mark Taylor <m.b.taylor at bristol.ac.uk> wrote:

> On the topic of OpenID authentication for non-browser clients that I
> mentioned in my earlier email; although CADC currently issue a challenge
>
>    www-authenticate: ivoa_bearer standard_id="ivo://ivoa.net/sso#OpenID",
> access_url="https://ws-cadc.canfar.net/ac"
>
> I understand from Brian that they don't really expect OpenID Connect
> to be used by non-browser clients, and hence that it doesn't need to
> be declared as a challenge in this way (and may therefore be withdrawn).
>
> However, I understand from Alberto that ESO will require use of OpenID
> for all clients wishing to authenticate, on the grounds that SSO via
> tls-with-password or BasicAA, which involve presentation of username
> and password to untrusted desktop clients, are insufficiently secure
> to meet their policies.
>
> Implementation of OpenID Connect-based authentication by non-browser
> clients such as topcat is not impossible, but it probably requires
> browser interaction as described by RFC8252 and therefore represents
> a significant client implementation burden as well as having usability
> impacts.
>
> Mark
>
> --
> Mark Taylor  Astronomical Programmer  Physics, Bristol University, UK
> m.b.taylor at bristol.ac.uk          http://www.star.bristol.ac.uk/~mbt/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/grid/attachments/20220505/bdbca2f1/attachment.html>