From megger at MPA-Garching.MPG.DE Mon Aug 8 09:43:42 2011
From: megger at MPA-Garching.MPG.DE (matthias egger)
Date: Mon, 08 Aug 2011 18:43:42 +0200
Subject: TAP/UWS authentication - short survey
Message-ID: <4E40123E.9030602@mpa-garching.mpg.de>
Hi DAL/Grid List Members,
in the course of (beta-) testing our TAP service with TOPCAT we again
came across the topic of authentication and SSO.
we need to protect our web services with a user-login, while TOPCAT's
TAP interface currently does not support this.
we wonder know, what is the best practice there in the context of ivoa,
tap/uws?
so i'd like to start a short discussion/survey about whether some of you
have similar requirements and esp. which - if any - authentication
system you are currently using, and possibly whether you also use
distributed (web-) SSO protocols like SAML2 or openID.
in short:
* do you run a TAP service which requires authentication
* if yes: which authentication method/system do you use:
* (HTTP) BASIC
* FORM-Based
* X.509 Certificates
* SAML2
* OpenID
* other: ?
background is that we need to put security on top of our
web-applications (also considering frameworks like openID and
SAML2/Shibboleth) and would like to hear what is most common and
recommend in ivoa,
also whether it is worth implementing (most common web-) authentication
support in client tools e.g. TOPCAT.
any feedback is every welcome.
thanks and regards! matthias
--
--------------------------------------------------
Matthias Egger
Max Planck Institute for Astrophysics
web: www.mpa-garching.mpg.de
email: megger at mpa-garching.mpg.de
fon: +49-89-30000-2040
fax: +49-89-30000-2235
--------------------------------------------------
From mjg at cacr.caltech.edu Mon Aug 8 10:08:52 2011
From: mjg at cacr.caltech.edu (Matthew Graham)
Date: Mon, 8 Aug 2011 10:08:52 -0700
Subject: TAP/UWS authentication - short survey
In-Reply-To: <4E40123E.9030602@mpa-garching.mpg.de>
References: <4E40123E.9030602@mpa-garching.mpg.de>
Message-ID: <167D2203-4BE8-4695-ABAA-5EA56EA47C07@cacr.caltech.edu>
Hi Matthias,
You should certainly have a look at the IVOA Recommendation for SSO (http://www.ivoa.net/Documents/latest/SSOAuthMech.html) in case you have not already done so. This recommends X.509 certificates also says that "HTTP basic authentication shall not be used".
The VAO is working on an OpenID system tied to our existing X.509 service.
Cheers,
Matthew
On Aug 8, 2011, at 9:43 AM, matthias egger wrote:
>
> Hi DAL/Grid List Members,
>
> in the course of (beta-) testing our TAP service with TOPCAT we again
> came across the topic of authentication and SSO.
>
> we need to protect our web services with a user-login, while TOPCAT's
> TAP interface currently does not support this.
>
> we wonder know, what is the best practice there in the context of ivoa,
> tap/uws?
>
>
> so i'd like to start a short discussion/survey about whether some of you
> have similar requirements and esp. which - if any - authentication
> system you are currently using, and possibly whether you also use
> distributed (web-) SSO protocols like SAML2 or openID.
>
> in short:
>
> * do you run a TAP service which requires authentication
>
> * if yes: which authentication method/system do you use:
>
> * (HTTP) BASIC
>
> * FORM-Based
>
> * X.509 Certificates
>
> * SAML2
>
> * OpenID
>
> * other: ?
>
>
> background is that we need to put security on top of our
> web-applications (also considering frameworks like openID and
> SAML2/Shibboleth) and would like to hear what is most common and
> recommend in ivoa,
> also whether it is worth implementing (most common web-) authentication
> support in client tools e.g. TOPCAT.
>
>
> any feedback is every welcome.
>
> thanks and regards! matthias
>
>
>
> --
> --------------------------------------------------
> Matthias Egger
> Max Planck Institute for Astrophysics
> web: www.mpa-garching.mpg.de
> email: megger at mpa-garching.mpg.de
> fon: +49-89-30000-2040
> fax: +49-89-30000-2235
> --------------------------------------------------
>
From patrick.dowler at nrc-cnrc.gc.ca Wed Aug 10 10:08:03 2011
From: patrick.dowler at nrc-cnrc.gc.ca (Patrick Dowler)
Date: Wed, 10 Aug 2011 10:08:03 -0700
Subject: TAP/UWS authentication - short survey
In-Reply-To: <4E40123E.9030602@mpa-garching.mpg.de>
References: <4E40123E.9030602@mpa-garching.mpg.de>
Message-ID: <201108101008.04076.patrick.dowler@nrc-cnrc.gc.ca>
On 2011-08-08 09:43:42 matthias egger wrote:
> * do you run a TAP service which requires authentication
It does not require authentication, but users can authenticate if want to (see
below). The "observation" tables in our TAP service contain both public and
proprietary metadata and they describe public and proprietary data. During the
transformation from ADQL to SQL, we modify the query such that:
- anonymous users only see public metadata
- authenticated users see public metadata and proprietary metadata they are
permitted to see
- we currently let people see the metadata for proprietary data and try to
download it since the retrieval system will challenge them and check
authorisation; in theory we could predict the success of that and save the
users some hassle/disappointment but it's hard to see how to make that work
"correctly" with ADQL queries
So, right now users get some value in authenticating *if* they could have
access to proprietary metadata (they are part of an observing program for a
telescope collection we host and still in proprietary period, for example).
In the very near future, we want to implement things like storing the query
result from an async query directly in the user's VOSpace; that will require
authentication *and* credential delegation. This would also be needed to
support upload tables from a vos URI, assuming the vospace requires
authentication.
see: http://www.ivoa.net/Documents/CredentialDelegation/
> * if yes: which authentication method/system do you use:
>
> * (HTTP) BASIC
>
> * FORM-Based
>
> * X.509 Certificates
We use IVOA SSO (X.509 client cert) on all https connections and no auth on
http, so users can chose to authenticate by using https instead of http.
Well, that's the short version of the story... we have some internal use cases
that are making it desireable to implement some kind of username/password auth
on an alternate (probably unregistered) resource path. This is mainly because
our users find certificates painful, although now that we know what we are doing
and resolved the issues it is pretty slick.
I'm not sure how to interpret the SSO mandate that basic auth *not* be used.
It certainly cannot be the only way to authenticate but I don't see how any
spec can forbid custom behaviour that goes beyond the spec... maybe it just
means that such a resource cannot be considerd an IVOA-compliant resource?
> * SAML2
>
> * OpenID
--
Patrick Dowler
Tel/T?l: (250) 363-0044
Canadian Astronomy Data Centre
National Research Council Canada
5071 West Saanich Road
Victoria, BC V9E 2M7
Centre canadien de donnees astronomiques
Conseil national de recherches Canada
5071, chemin West Saanich
Victoria (C.-B.) V9E 2M7
From megger at MPA-Garching.MPG.DE Thu Aug 11 07:52:14 2011
From: megger at MPA-Garching.MPG.DE (matthias egger)
Date: Thu, 11 Aug 2011 16:52:14 +0200
Subject: TAP/UWS authentication - short survey
In-Reply-To: <4E40123E.9030602@mpa-garching.mpg.de>
References: <4E40123E.9030602@mpa-garching.mpg.de>
Message-ID: <4E43EC9E.5040402@mpa-garching.mpg.de>
Hi All,
thanks for all your responses. i'll try to summarize in short:
as expected there are all sorts of tap services deployed, some are
completely public, some with optional login, some fully protected.
1) preferences of security methods:
from what i got one could NOT infer any preference of one security
method over another.
most mentioned were x.509 certificates, quite equally in both flavors:
- we are using them as our primary security method
- we don't and won't use and don't recommend them
so here we meet again the well-known pro and cons of x.509 certificates.
we (MPA) also want to stay with username/password authentication and not use user-certificates (if
we can avoid it).
1.1) SSO, openID
further, in the future we'd like to provide some convenient SSO over all our web services for our
users (username/password based).
for the sake of conformity we'd go for the one which is most widely used throughout ivoa, there was
some mentioning of openID:
* VAO is working on an OpenID system tied to their existing X.509 service
* others seem to be interested in it, too
so we would like to hook into that approach.
2) service interoperability without certificates, OAuth
not using user (proxy-)certificates bears two challenges for service interoperability:
* authentication
* and esp: delegation-of-trust
2.1 authentication: tls-with-password
looking into the ivoa SSO-authMech document, i find it leaves the details of
securityMethod:tls-with-password quite open.
- or have i just missed it somewhere?
so i wonder whether it would make sense in the course of a future discussion to come up with say an
extension to 'tls-with-password' which would "clearly" describe the details/metadata of that
security-method in place?
with the goal that also protected services could be properly accessed by means of interpreting the
security-method metadata (beyond "just" tls-with-certificates).
2.2 delegation-of-trust
while that scenario is well covered with proxy-certificates,
it is not-at-all with a username/password authn.
so the only solution for the latter i heard of yet would be applying OAuth(2).
as i understand, this is what it's designed for.
has someone any experience with it already?
or are there any known constraints why it would not fit within the ivoa infrastructure?
3) TOPCAT and TAP
background of the question was how to allow TOPCAT connecting to a
protected tap service.
currently there seems no clear preference for a security method and the mechanics are not clear (see
2.1).
so we decided to be pragmatic for now and Mark Taylor has been so nice to build in
a rudimental support for (http) BASIC in TOPCAT as an _semi-official_ add-on.
it will be part of the next topcat release, you can try it out by
downloading the pre-release version from:
ftp://andromeda.star.bris.ac.uk/pub/star/topcat/pre/
see below the cite of Mark's documentation and comments.
thanks and regards,
matthias
On 08/10/11 14:04, Mark Taylor wrote:
> I've made some changes to TOPCAT and STILTS.
> They now take notice of two new system properties,
>
> star.basicauth.user
> star.basicauth.password
>
> Here is the documentation:
>
> star.basicauth.user
> star.basicauth.password
> If set, these will provide username and password for HTTP Basic
> Authentication. Any time the application attempts to access an
> HTTP URL and is met by a 401 Unauthorized response, it will try again
> supplying these user credentials. This is a rather blunt instrument,
> since the same identity is supplied regardless of which URL is being
> accessed, but it may be of some use in accessing basic-authentication
> protected services. This mechanism is experimental, and may be
> modified or withdrawn in future versions.
>
>
> So if somebody has, say, an SSA service with basic auth, it will work
> for that too.
>
> You can set the system properties in the usual way as explained at
> http://www.starlink.ac.uk/topcat/sun253/jvmProperties.html
> either on the command line
> (topcat -Dstar.basicauth.user=mtaylor -Dstar.basicauth.password=xxx)
> or in a .starjava.properties file in your home directory
> (containing the lines:
> star.basicauth.user=mtaylor
> star.basicauth.password=xxx
> ).
>
> As noted this is not very elegant or scalable: for instance there's
> no way of using the same instance of TOPCAT to access two different
> services with different basic auth user/passwords. For that reason
> I'm marking it as experimental and I'm not going to emphasise it in
> the documentation. It's up to you how officially you want to
> recommend it to your users.
>
> It would be possible to modify the mechanism in future so that different
> basic auth identities are used for different services, possibly
> with some sort of GUI for setting it up, but this would be quite
> a bit more implementation effort. I'd do it if it looked like lots
> of services had a requirement to use basic auth, but it's not clear
> now that that is the case.
>
> There's one other issue: although I haven't tested it I think there may
> be a problem with getting this to work for table uploads in TAP,
> for somewhat complicated reasons to do with streaming of large
> uploaded tables. I don't know whether you are planning to offer
> uploads in your TAP service.
----------------------------------------
On 08/08/11 18:43, matthias egger wrote:
>
> Hi DAL/Grid List Members,
>
> in the course of (beta-) testing our TAP service with TOPCAT we again
> came across the topic of authentication and SSO.
>
> we need to protect our web services with a user-login, while TOPCAT's
> TAP interface currently does not support this.
>
> we wonder know, what is the best practice there in the context of ivoa,
> tap/uws?
>
>
> so i'd like to start a short discussion/survey about whether some of you
> have similar requirements and esp. which - if any - authentication
> system you are currently using, and possibly whether you also use
> distributed (web-) SSO protocols like SAML2 or openID.
>
> in short:
>
> * do you run a TAP service which requires authentication
>
> * if yes: which authentication method/system do you use:
>
> * (HTTP) BASIC
>
> * FORM-Based
>
> * X.509 Certificates
>
> * SAML2
>
> * OpenID
>
> * other: ?
>
>
> background is that we need to put security on top of our
> web-applications (also considering frameworks like openID and
> SAML2/Shibboleth) and would like to hear what is most common and
> recommend in ivoa,
> also whether it is worth implementing (most common web-) authentication
> support in client tools e.g. TOPCAT.
>
>
> any feedback is every welcome.
>
> thanks and regards! matthias
>
>
>
--
--------------------------------------------------
Matthias Egger
Max Planck Institute for Astrophysics
web: www.mpa-garching.mpg.de
email: megger at mpa-garching.mpg.de
fon: +49-89-30000-2040
fax: +49-89-30000-2235
--------------------------------------------------