OpenID Connect authenticator plugin
17 views
Skip to first unread message
Rolf Krahl
Jan 6, 2021, 9:05:56 AM1/6/21
to icatgroup, Emil Junker
Dear all,
as you might have noticed by now, we at HZB are currently working on
an ICAT authenticator plugin for the OpenID Connect / OAuth 2.0 family
of protocols that is used in Keycloak [1].
First of all, the good news: it works! I deployed the current
development version in a proof-of-concept test server and am able to
log in with Keycloak and obtain an ICAT session. There are still some
changes in the plugin on our TODO list, though.
Note however that for a login with OpenID Connect, only half of the
work is to be done in the ICAT authenticator that takes an access
token and verifies it. The other half of the work is to obtain that
access token in the first place and that must be done in the web user
interface as it requires several layers of HTTP redirections. So you
cannot expect to simply deploy the plugin and you are set. In
particular it will not work with TopCAT without modification.
(For the technical curious: I used an Apache Reverse proxy in front of
ICAT and mod_auth_openidc [2] to manage the communication with
Keycloak in my test. In that setup, an almost trivial Python web
service script can be used to log into ICAT and obtain a session ID.)
In the course of the development, we understood that the name
"authn.oauth2" might not be appropriate. In the end, its more like an
OpenID Connect authenticator rather then a generic OAuth 2.0
implementation. (OpenID Connect is defined on top of OAuth 2.0 and we
need some properties in the token and the general environment that are
specific to OpenID Connect.)
So I suggest to rename that plugin to "authn.oidc". Any objections
against that name or other suggestions?
Best regards,
Rolf
[1]: https://www.keycloak.org/
[2]: https://github.com/zmartzone/mod_auth_openidc/
--
Rolf Krahl <rolf....@helmholtz-berlin.de>
Helmholtz-Zentrum Berlin für Materialien und Energie (HZB)
Albert-Einstein-Str. 15, 12489 Berlin
Tel.: +49 30 8062 12122
as you might have noticed by now, we at HZB are currently working on
an ICAT authenticator plugin for the OpenID Connect / OAuth 2.0 family
of protocols that is used in Keycloak [1].
First of all, the good news: it works! I deployed the current
development version in a proof-of-concept test server and am able to
log in with Keycloak and obtain an ICAT session. There are still some
changes in the plugin on our TODO list, though.
Note however that for a login with OpenID Connect, only half of the
work is to be done in the ICAT authenticator that takes an access
token and verifies it. The other half of the work is to obtain that
access token in the first place and that must be done in the web user
interface as it requires several layers of HTTP redirections. So you
cannot expect to simply deploy the plugin and you are set. In
particular it will not work with TopCAT without modification.
(For the technical curious: I used an Apache Reverse proxy in front of
ICAT and mod_auth_openidc [2] to manage the communication with
Keycloak in my test. In that setup, an almost trivial Python web
service script can be used to log into ICAT and obtain a session ID.)
In the course of the development, we understood that the name
"authn.oauth2" might not be appropriate. In the end, its more like an
OpenID Connect authenticator rather then a generic OAuth 2.0
implementation. (OpenID Connect is defined on top of OAuth 2.0 and we
need some properties in the token and the general environment that are
specific to OpenID Connect.)
So I suggest to rename that plugin to "authn.oidc". Any objections
against that name or other suggestions?
Best regards,
Rolf
[1]: https://www.keycloak.org/
[2]: https://github.com/zmartzone/mod_auth_openidc/
--
Rolf Krahl <rolf....@helmholtz-berlin.de>
Helmholtz-Zentrum Berlin für Materialien und Energie (HZB)
Albert-Einstein-Str. 15, 12489 Berlin
Tel.: +49 30 8062 12122
Reply all
Reply to author
Forward
0 new messages