OpenID and SSO

Markus Demleitner msdemlei at ari.uni-heidelberg.de
Fri May 6 09:24:07 CEST 2022 

Hi GWS,

On Thu, May 05, 2022 at 04:25:34PM -0700, Patrick Dowler wrote:
> by definition no longer to be trusted. The part I don't like about it is
> that it's the user that should make that (hopefully informed) call about
> trusting topcat (or not :-)) but that's not how things work anymore. The
> world of mobile "apps" has blurred the line between web sites and your own
> applications so now using an application that can do authentication is a
> "phishing attack". #sigh

Sigh, indeed.

Let's all try to talk the higher-ups out of the notion that, of all
the programs that run on a computer, it is the browser that is to
be trusted.  Given the steady stream of exploits of the engines,
given that the browser continually executes essentially uncurated
programs from hundreds, if not thousands of sites [1], where most of
these programs can safely be considered adversarial, given scary web
standards from WebUSB to local storage that these programs can use,
this notion is so obviously erroneous that I really wonder how anyone
might share it.

I'd not worry too much about such erroneous thoughts, as I am
absolutely unconcerned about phishing attacks to obtain credentials
for accessing the latest lightcurves of LGM-33201.  Except, as Pat says,
they have very concrete and damaging consequences to our ecosystem:

> Probably a question for Alberto: How would/will ESO enable their users to
> use applications like topcat, pyvo, astropy, etc to access their services
> with auth?
> 
> I can think of several simple ways:
> 1. user authenticates in browser and then downloads a (bearer) token the
> various tools can use
> 2. user authenticates in browser and then downloads proxy cert the various
> tools can use

Please... let's not do auth in either of these ways.  It'll scare our
users away and into the hands of non-interoperable, walled-garden
platforms.

> everyone else does now. So industry-wise it looks like #1 is the de facto
> solution for this, but I find it a pain as a user.

So do I, in particular if there is any expectation that there is some
"security" to that, which would mean short-lived tokens, so people
would have to repeat that ordeal every half hour or so.

Of course, if the higher-ups can be convinced that getting a token
once and forever is "secure", then you have my blessing.

> Well, you can see that this topic annoys a lot :-)

+1

        -- Markus

[1] Which, sure enough, we ought to fix.  Insert my usual rant
against requiring Javascript everywhere, and my usual plea to take
care your stuff at least has basic functionality if folks refuse to
run your Javascript.

More information about the grid mailing list