SSO major editing
Mark Taylor
m.b.taylor at bristol.ac.uk
Wed May 8 20:50:40 CEST 2024
On Wed, 8 May 2024, Markus Demleitner via grid wrote:
> Disclaimer: I've always maintained a healthy distance from proper
> cryptography, and I have done virtually no thinking about whether
> certain regulations increase the attack surface; x-vo-authenticated,
> for instance, feels potentially dangerous. Perhaps we should solicit
> a few more opinions whether that's indeed harmless. Also... What's
> the use case for letting people discover who they are?
I also haven't given thought to whether this is dangerous,
though I feel like it's not since you already have to be
authenticated to see it.
But the use case is to check whether, having submitted your
credentials, you have actually managed to log in successfully.
Otherwise with e.g. a TAP service providing optional authentication,
you might supply some credentials (e.g. a token or certificate
which may or may not be recognised) and get to use the service,
but not know whether you are doing that as an anonymous or
authenticated user. A simple "authenticated" flag rather than a
user identifier would do part of the same job, but actually getting
confirmation from the service of who it thinks you are is more
convincing.
Mark
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bristol.ac.uk https://www.star.bristol.ac.uk/mbt/
More information about the grid
mailing list