ivoa-oauth: an SSO-next based approach to allowing non-browser-based VO clients to use OAuth 2.x/OIDC

Mark Taylor m.b.taylor at bristol.ac.uk
Wed Oct 9 17:11:15 CEST 2024 

James,

I'm very pleased to see somebody having a go at this.
I think it would be good to have it presented at the Interop,
but if not I'll talk to you about it in Malta anyway.

I don't have much actual experience with OAuth2 and OIDC,
though I've waded through some of the specifications a few times.
So I don't understand all the details, but a few comments:

 - The scheme name "ivoa-oauth2" in the WWW-Authentication challenge 
   should be fine if you think it's a better choice than "ivoa-oauth", 
   I don't forsee any restriction to alphabetic names here.

 - There may be devils in the detail of the "allowed_domains" response;
   will it just be hostnames or something at a coarser/finer level?
   Hopefully there's some existing standards text that could be co-opted
   here (maybe the Origin concept from RFC6454).

 - It's not clear to me at what stage the user supplies a username
   and password - I assume that happens somewhere?
   Is it when the client registers with the registration endpoint 
   as per Section 2 of RFC6749?  If so (and, probably, in any case)
   it will be necessary to specify exactly how this authentication 
   is done, e.g. mandating Basic Auth.

 - I'm surprised that having got the token you present it in the
   Authorization header (in the general case) using the scheme name 
   "ivoa-auth" rather than just "bearer"; I'd have thought that
   having got the thing you would just treat it like a standard
   bearer token.  But there may be some good reason for this.

 - If you (or somebody else) can provide a prototype service implementing
   this, I'd aim to attempt prototype client support for it in topcat
   on a fairly short timescale.

Mark

On Wed, 9 Oct 2024, James Tocknell via grid wrote:

> Hi All
> 
> I've written a draft idea for how to allow VO clients to use OAuth 2.x/OIDC to access VO resources.
> I'm happy to talk about this at the Interop (I'll be at both ADASS and the Interop this year), or discuss it over the breaks.
> I've not as yet implemented any of this, but due to needing to do some work related to some of our ancillary non-VO services to work with OAuth 2, and from previous projects, it shouldn't take too long to implement both on the client and the (resource) server side, as this tries as much as possible to align with existing libraries that I've used. I'd be interested especially in opinions from those who are already using OAuth 2.x/OIDC (I know the ESO archive and Rubin do to some extent), as I'm aiming for something that bridges the gap between existing implementations, rather than requiring a whole bunch of effort to implement.
> 
> Regards
> James

--
Mark Taylor  Astronomical Programmer  Physics, Bristol University, UK
m.b.taylor at bristol.ac.uk          https://www.star.bristol.ac.uk/mbt/

More information about the grid mailing list