ivoa-oauth: an SSO-next based approach to allowing non-browser-based VO clients to use OAuth 2.x/OIDC
Mark Taylor
m.b.taylor at bristol.ac.uk
Fri Oct 11 10:41:14 CEST 2024
On Thu, 10 Oct 2024, Russ Allbery via grid wrote:
> > There'd also the weirdness of the challenge being `ivoa-oauth2` and the
> > response being `bearer`, but that's a minor thing.
>
> Honestly, I'd rather fix that as well: make the challenge be bearer but
> add other IVOA-specific attributes to tell the client how to go get that
> bearer token following our protocol.
We could do that, but I don't know why it would be desirable,
and I don't see a problem with the challenge auth-scheme and the
first token in the Authorization header having different values.
The other SSO_next schemes don't follow that pattern; ivoa_cookie
and ivoa_x509 don't use the Authorization header at all.
If we use "bearer" as www-authenticate challenge auth scheme,
then we're sitting on top of RFC6750 and might possibly run into
compatibility issues with that standard or interfere with other
Bearer-related auth-param namespaces. If we use our own scheme
"ivoa-oauth2" we can do what we want.
Multiple challenges are of course possible, so a response can
have a standard Bearer challenge as well as an ivoa-oauth2 one.
Mark
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bristol.ac.uk https://www.star.bristol.ac.uk/mbt/
More information about the grid
mailing list