airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Schwartz, Terri" <te...@sdsc.edu>
Subject RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Date Wed, 13 Jul 2016 19:27:07 GMT
Hi Supun, per Marlon's request, I'm moving our conversation to the dev@airavata list.

If you're too busy prior to xsede to look into this error, let me know.  I'll switch to doing
something else until you've got time.

Terri
________________________________
From: Schwartz, Terri
Sent: Tuesday, July 12, 2016 12:27 PM
To: Supun Nakandala
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi,

Just tried running the example and got the error below.  I set the constants you sent me,
and in Main.java, set username and password to an existing user in the cipres_copy db.   (That's
the db you're using, right?)

[INFO] --- exec-maven-plugin:1.5.0:java (default-cli) @ cipres-scigap-idp-samples ---
Getting OAuth Access Token for User : scigap_tester1
[WARNING]
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:294)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.Exception: {"error_description":"Authentication failed for scigap_tester1@prod.cipres","error":"invalid_grant"}
    at org.apache.airavata.cipres.userstore.mgr.samples.OAuthTokenRetrievalSample.getOAuthToken(OAuthTokenRetrievalSample.java:59)
    at org.apache.airavata.cipres.userstore.mgr.samples.Main.main(Main.java:35)
    ... 6 more
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com]
Sent: Monday, July 11, 2016 7:40 PM
To: Schwartz, Terri
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Terri,

On Mon, Jul 11, 2016 at 6:45 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:
Hi again Supun,

If someone who's registered with cipres wants to use the file upload api outside of cipres,
let's say, with nothing except curl commands  (for an example, see "Quick Upload" in the readme
here: https://github.com/terrischwartz/tus_servlet  ) how would he get an access token from
the IU IDP?

One option is to give them OAuth client secret and client id pairs for each of them and they
will directly interact with the IDP to get access tokens. But I think this is not a viable
option where there is many users.

The most suitable way would be to implement some rest service to authenticate and retreive
access tokens from IDP which is similar to the authentication procesdure which can be done
in the Cipres web app.

Terri
________________________________
From: Schwartz, Terri
Sent: Monday, July 11, 2016 2:15 PM
To: Supun Nakandala

Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Supun, thanks for the link, that's perfect.

Regarding verification errors, I meant to ask what exception or error code will be returned
to the rest api in those 2 cases (invalid user, token expiration) because I'll want to handle
those errors specifically.  I can test to find out of course, but if this is documented, or
if you happen to know, that would be helpful.

Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<mailto:supun.nakandala@gmail.com>]
Sent: Monday, July 11, 2016 2:06 PM
To: Schwartz, Terri
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Terri,

On Mon, Jul 11, 2016 at 1:51 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:
Hi Supun,

I'm finally getting back to this, trying to remember how I was going to use it, and looking
at the example you sent me.  The example, wrapper classes especially, look great.  I think
it will go like this:

1. user logs into cipres, sends username and password to idp, gets back access token and refresh
token, stores them in
the user's session.
2. cipres puts the access token into file upload page, accessible to javascript
3. javascript sends request to the file upload rest api, including the access token in the
request. *
4. rest api sends access token to IDP for verification.  On success gets back username **
.
5a. rest api caches username/token and processes the user's request. ***
5b. If token has expired, rest api returns an authorization error.   Javascript catches the
error.  Now what???  Tell the user to log out and in again?  Have the page ask cipres to get
a new access_token using the refresh token cipres has stored?  Is this is safe so long as
cipres rejects requests from other sites (xss) ?

* I'd like the rest api to handle requests coming from other clients as well, so I want to
put the access token in the "standard" location.  Does this make sense?  Is there a specific
header and format I should use for sending the access token from cipres to the rest api?

The recommended way to do that is using Http Authorization header as documented in OAuth spec
https://tools.ietf.org/html/rfc6750#section-2.1
** What errors/exceptions will I get back if a) the token doesn't correspond to a known user
or b) the token has expired?
This depends on the implementation of your REST API. If the token is not valid an exception
will be thrown from the WSO2 IS client and at the REST API it can be caught and necessary
HTTP error codes can be returned.

*** If I'm caching username/token, I suppose I shouldn't use the cached info beyond the point
where the token would I expire if I were to validate it, right?  Would I use the AuthReponse.expires_in
to do that?  Is expires_in the number of seconds?
Yes it is the valid time period is in seconds. When caching you can add it to the current
system time and save. When checking the cached result you can check the time is less than
the current system time

Thanks, Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<mailto:smarru@iu.edu>]
Sent: Thursday, June 23, 2016 11:06 AM

To: project@scigap.org<mailto:project@scigap.org>
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Terri,

Supun used to surprise us, but we are used to it now.

This might be a small coding step, but this easy of integration is a big endorsement of all
the security design thoughts (thanks to CTSC) in the past 2 years. I briefly saw the integration
from WSO2 IS and its so cool. As an example, we can have a PGA instance for any one with a
CIPRES account can login to it. Or even better we can have a secured API call to Airavata
using the same OAuth2 token and Airavata will know who the user is. This by itself will not
mean anything yet, buts this is a platform we need to build the future workbench-airavata
integration efforts.

Suresh

On Jun 23, 2016, at 1:57 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

Hi Supun, thank you!  That was fast.  I'm going to be on vacation next week so probably won't
get a chance to work with this until I'm back, after the 4th of July.  I'm looking forward
to trying it out.

Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<mailto:supun.nakandala@gmail.com>]
Sent: Thursday, June 23, 2016 8:15 AM
To: project@scigap.org<mailto:project@scigap.org>
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi,

I have integrated SciGaP IDP to Cipres userstore and the integration code and the sample codes
on how to retrieve access tokens and validate access tokens can be found here https://github.com/SciGaP/CIPRES-SciGaP-IDP-Integration

The default valid time for an access token is 3 hours and the refresh token is valid up to
14 days.

@Terri
I will send the required credentials in a private email.

Thanks
-Supun

On Mon, Jun 20, 2016 at 1:19 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:
Pefect, talk to you then.

Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<mailto:smarru@iu.edu>]
Sent: Monday, June 20, 2016 10:17 AM

To: project@scigap.org<mailto:project@scigap.org>
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

How about we target 11 am ET (8 am PT)? On google hangout.

FYI, you can always find us on HipChat for quick queries https://www.hipchat.com/gMDHyN1KM

Suresh

On Jun 20, 2016, at 1:09 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

What time should we plan for?

Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<mailto:smarru@iu.edu>]
Sent: Monday, June 20, 2016 10:08 AM
To: Schwartz, Terri
Cc: project@scigap.org<mailto:project@scigap.org>; dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Yes Terri, tomorrow also works equally well.

Suresh

On Jun 20, 2016, at 1:05 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

Sounds good.  I can't do it at 11 today though.  Do you guys have time tomorrow morning? 
 Sometime between 7am to 10am PST (between 10 and 1 for you)?

Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<mailto:smarru@iu.edu>]
Sent: Monday, June 20, 2016 9:59 AM
To: Schwartz, Terri
Cc: project@scigap.org<mailto:project@scigap.org>; dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Terri,

Hopefully the email discussion is helping a bit. How about a hangout at 2pm ET (11 am PT)
to walk through the current PHP (PGA) and Java (SEAGrid Desktop application) examples. We
have not done the java script ourselves, but we can use these references and help you accomplish
it.

Suresh

On Jun 20, 2016, at 12:18 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

"Could you walk me through what the code would do then?"  --  I mean the cipres javascript
and cipres web app code.

Terri
________________________________
From: Schwartz, Terri [terri@sdsc.edu<mailto:terri@sdsc.edu>]
Sent: Monday, June 20, 2016 9:15 AM
To: project@scigap.org<mailto:project@scigap.org>; Marru, Suresh
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Supun, thanks for writing this up.  The Resource Owner grant type is exactly the one I
was wondering about because the immediate issue for me is just how to deal with credentials
from ajax.   How long are these credentials typically valid for?   I'm trying to picture how
this works when the token expires.  The rest api is for uploading very large files so it seems
likely that the token may expire while the user is in the middle of a resumable upload.  
Could you walk me through what the code would do then?

Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<mailto:supun.nakandala@gmail.com>]
Sent: Monday, June 20, 2016 9:00 AM
To: Marru, Suresh
Cc: project@scigap.org<mailto:project@scigap.org>; dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi All,

I tried to identify the CIPRES authentication issues and the below diagram summarises the
current usecase and the solution I think for integration with SciGaP IDP.

<Blank Diagram - CIPRES (1).png>
1. As the first step we can integrate the CIPRES userstore with SciGaP IDP using a custom
user store extension (which we have to develop). This enables CIPRE to use Identity features
such as OAuth2.0 available in the SciGaP IDP.

2. From the user point of view the authentication process will be same as the current interaction
where user provides his/her username/password to the CIPRES portal. At the CIPRES web server
instead of directly authenticating the user against the userstore (or in addition to doing
this) user can be authenticated and an access token for the user can be obtained using the
OAuth 2.0 Resource Owner Password Grant Type. This access token can be sent back to the browser
application where it can be cached for future use.

3. When user wants to invoke the REST API instead of providing the username and the password
of the user now the access token can be provided in the HTTP headers and at the REST API the
access token can be verified from the SciGaP IDP. To improve performance valid access tokens
and corresponding user identities can be cached at the REST API.

The advantages of this approach are

1. User does not need to provide basic credentials when ever he/she wants to connect to REST
API.
2. CIPRESS can leverage the existing features of the SciGaP IDP without re  implementing a
token based authorization delegation solution for Single-Sign-On. Although some effort is
required to write a custom user store extension for connecting CIPRES user store to SciGaP
IDP.

Also storing the OAuth Access Token in the web browser is not an issue as storing the basic
credentials for the user because these access tokens are short lived.

Thanks.

On Mon, Jun 20, 2016 at 11:03 AM, Marru, Suresh <smarru@iu.edu<mailto:smarru@iu.edu>>
wrote:
Sorry Terri, We dropped the ball on this.

Can you and Supun plan to have a hangout today and walk through all these steps? he and I
are available from now.

Suresh

On Jun 20, 2016, at 10:57 AM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

Hi again,

I think some of the IU team are experienced with oauth2, right?  I could really use some advice
regarding the question I asked below.

Thanks, Terri
________________________________
From: Schwartz, Terri [terri@sdsc.edu<mailto:terri@sdsc.edu>]
Sent: Wednesday, June 15, 2016 5:18 PM
To: project@scigap.org<mailto:project@scigap.org>
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Suresh,

Yes, that's exactly it.

Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<mailto:smarru@iu.edu>]
Sent: Wednesday, June 15, 2016 4:26 PM
To: project@scigap.org<mailto:project@scigap.org>
Cc: dev@scigap.org<mailto:dev@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question

Hi Terri,

Just to be clear, is the javascript in the authorized portion of the web application? I mean
is it safe to assume you will only get to this script after authentication?

Suresh

On Jun 15, 2016, at 5:46 PM, Schwartz, Terri <terri@sdsc.edu<mailto:terri@sdsc.edu>>
wrote:

Hi, during our face to face scigap meeting a couple of weeks ago, Suresh and Marlon asked
about how I thought I might make use of identity management services.  I couldn't think of
the specifics then but I have a use case I want to ask about now.

I developed a REST service that I want to use in the Cipres web application.  The rest service
will be called via ajax from javascript on a page in the Cipres web application.   I *don't*
want the user to be prompted to "give permission"; I want that to happen automatically.  I
would just use basic auth over https except that there's no secure way to do that from javascript.
 It would be ok with me if Cipres authenticates with the REST service and then uses a custom
mechanism (not oauth) to tell the rest api who the actual end user is.

Can someone tell me which oauth2 flow or grant type, if any, would be right for this?

Thanks,
Terri

--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.


--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.


--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+unsubscribe@scigap.org<mailto:dev+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.



--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.


--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.


--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.



--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.


--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Project
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<mailto:project+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.

--
You received this message because you are subscribed to the Google Groups "SciGaP Developer
List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+unsubscribe@scigap.org<mailto:dev+unsubscribe@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.



--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa



--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

Mime
View raw message