You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airavata.apache.org by "Schwartz, Terri" <te...@sdsc.edu> on 2016/07/13 19:27:07 UTC
RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Supun, per Marlon's request, I'm moving our conversation to the dev@airavata list.
If you're too busy prior to xsede to look into this error, let me know. I'll switch to doing something else until you've got time.
Terri
________________________________
From: Schwartz, Terri
Sent: Tuesday, July 12, 2016 12:27 PM
To: Supun Nakandala
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi,
Just tried running the example and got the error below. I set the constants you sent me, and in Main.java, set username and password to an existing user in the cipres_copy db. (That's the db you're using, right?)
[INFO] --- exec-maven-plugin:1.5.0:java (default-cli) @ cipres-scigap-idp-samples ---
Getting OAuth Access Token for User : scigap_tester1
[WARNING]
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:294)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.Exception: {"error_description":"Authentication failed for scigap_tester1@prod.cipres","error":"invalid_grant"}
at org.apache.airavata.cipres.userstore.mgr.samples.OAuthTokenRetrievalSample.getOAuthToken(OAuthTokenRetrievalSample.java:59)
at org.apache.airavata.cipres.userstore.mgr.samples.Main.main(Main.java:35)
... 6 more
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com]
Sent: Monday, July 11, 2016 7:40 PM
To: Schwartz, Terri
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Terri,
On Mon, Jul 11, 2016 at 6:45 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Hi again Supun,
If someone who's registered with cipres wants to use the file upload api outside of cipres, let's say, with nothing except curl commands (for an example, see "Quick Upload" in the readme here: https://github.com/terrischwartz/tus_servlet ) how would he get an access token from the IU IDP?
One option is to give them OAuth client secret and client id pairs for each of them and they will directly interact with the IDP to get access tokens. But I think this is not a viable option where there is many users.
The most suitable way would be to implement some rest service to authenticate and retreive access tokens from IDP which is similar to the authentication procesdure which can be done in the Cipres web app.
Terri
________________________________
From: Schwartz, Terri
Sent: Monday, July 11, 2016 2:15 PM
To: Supun Nakandala
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Supun, thanks for the link, that's perfect.
Regarding verification errors, I meant to ask what exception or error code will be returned to the rest api in those 2 cases (invalid user, token expiration) because I'll want to handle those errors specifically. I can test to find out of course, but if this is documented, or if you happen to know, that would be helpful.
Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<ma...@gmail.com>]
Sent: Monday, July 11, 2016 2:06 PM
To: Schwartz, Terri
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Terri,
On Mon, Jul 11, 2016 at 1:51 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Hi Supun,
I'm finally getting back to this, trying to remember how I was going to use it, and looking at the example you sent me. The example, wrapper classes especially, look great. I think it will go like this:
1. user logs into cipres, sends username and password to idp, gets back access token and refresh token, stores them in
the user's session.
2. cipres puts the access token into file upload page, accessible to javascript
3. javascript sends request to the file upload rest api, including the access token in the request. *
4. rest api sends access token to IDP for verification. On success gets back username ** .
5a. rest api caches username/token and processes the user's request. ***
5b. If token has expired, rest api returns an authorization error. Javascript catches the error. Now what??? Tell the user to log out and in again? Have the page ask cipres to get a new access_token using the refresh token cipres has stored? Is this is safe so long as cipres rejects requests from other sites (xss) ?
* I'd like the rest api to handle requests coming from other clients as well, so I want to put the access token in the "standard" location. Does this make sense? Is there a specific header and format I should use for sending the access token from cipres to the rest api?
The recommended way to do that is using Http Authorization header as documented in OAuth spec https://tools.ietf.org/html/rfc6750#section-2.1
** What errors/exceptions will I get back if a) the token doesn't correspond to a known user or b) the token has expired?
This depends on the implementation of your REST API. If the token is not valid an exception will be thrown from the WSO2 IS client and at the REST API it can be caught and necessary HTTP error codes can be returned.
*** If I'm caching username/token, I suppose I shouldn't use the cached info beyond the point where the token would I expire if I were to validate it, right? Would I use the AuthReponse.expires_in to do that? Is expires_in the number of seconds?
Yes it is the valid time period is in seconds. When caching you can add it to the current system time and save. When checking the cached result you can check the time is less than the current system time
Thanks, Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<ma...@iu.edu>]
Sent: Thursday, June 23, 2016 11:06 AM
To: project@scigap.org<ma...@scigap.org>
Cc: dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Terri,
Supun used to surprise us, but we are used to it now.
This might be a small coding step, but this easy of integration is a big endorsement of all the security design thoughts (thanks to CTSC) in the past 2 years. I briefly saw the integration from WSO2 IS and its so cool. As an example, we can have a PGA instance for any one with a CIPRES account can login to it. Or even better we can have a secured API call to Airavata using the same OAuth2 token and Airavata will know who the user is. This by itself will not mean anything yet, buts this is a platform we need to build the future workbench-airavata integration efforts.
Suresh
On Jun 23, 2016, at 1:57 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Hi Supun, thank you! That was fast. I'm going to be on vacation next week so probably won't get a chance to work with this until I'm back, after the 4th of July. I'm looking forward to trying it out.
Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<ma...@gmail.com>]
Sent: Thursday, June 23, 2016 8:15 AM
To: project@scigap.org<ma...@scigap.org>
Cc: dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi,
I have integrated SciGaP IDP to Cipres userstore and the integration code and the sample codes on how to retrieve access tokens and validate access tokens can be found here https://github.com/SciGaP/CIPRES-SciGaP-IDP-Integration
The default valid time for an access token is 3 hours and the refresh token is valid up to 14 days.
@Terri
I will send the required credentials in a private email.
Thanks
-Supun
On Mon, Jun 20, 2016 at 1:19 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Pefect, talk to you then.
Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<ma...@iu.edu>]
Sent: Monday, June 20, 2016 10:17 AM
To: project@scigap.org<ma...@scigap.org>
Cc: dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
How about we target 11 am ET (8 am PT)? On google hangout.
FYI, you can always find us on HipChat for quick queries https://www.hipchat.com/gMDHyN1KM
Suresh
On Jun 20, 2016, at 1:09 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
What time should we plan for?
Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<ma...@iu.edu>]
Sent: Monday, June 20, 2016 10:08 AM
To: Schwartz, Terri
Cc: project@scigap.org<ma...@scigap.org>; dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Yes Terri, tomorrow also works equally well.
Suresh
On Jun 20, 2016, at 1:05 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Sounds good. I can't do it at 11 today though. Do you guys have time tomorrow morning? Sometime between 7am to 10am PST (between 10 and 1 for you)?
Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<ma...@iu.edu>]
Sent: Monday, June 20, 2016 9:59 AM
To: Schwartz, Terri
Cc: project@scigap.org<ma...@scigap.org>; dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Terri,
Hopefully the email discussion is helping a bit. How about a hangout at 2pm ET (11 am PT) to walk through the current PHP (PGA) and Java (SEAGrid Desktop application) examples. We have not done the java script ourselves, but we can use these references and help you accomplish it.
Suresh
On Jun 20, 2016, at 12:18 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
"Could you walk me through what the code would do then?" -- I mean the cipres javascript and cipres web app code.
Terri
________________________________
From: Schwartz, Terri [terri@sdsc.edu<ma...@sdsc.edu>]
Sent: Monday, June 20, 2016 9:15 AM
To: project@scigap.org<ma...@scigap.org>; Marru, Suresh
Cc: dev@scigap.org<ma...@scigap.org>
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Supun, thanks for writing this up. The Resource Owner grant type is exactly the one I was wondering about because the immediate issue for me is just how to deal with credentials from ajax. How long are these credentials typically valid for? I'm trying to picture how this works when the token expires. The rest api is for uploading very large files so it seems likely that the token may expire while the user is in the middle of a resumable upload. Could you walk me through what the code would do then?
Terri
________________________________
From: Supun Nakandala [supun.nakandala@gmail.com<ma...@gmail.com>]
Sent: Monday, June 20, 2016 9:00 AM
To: Marru, Suresh
Cc: project@scigap.org<ma...@scigap.org>; dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi All,
I tried to identify the CIPRES authentication issues and the below diagram summarises the current usecase and the solution I think for integration with SciGaP IDP.
<Blank Diagram - CIPRES (1).png>
1. As the first step we can integrate the CIPRES userstore with SciGaP IDP using a custom user store extension (which we have to develop). This enables CIPRE to use Identity features such as OAuth2.0 available in the SciGaP IDP.
2. From the user point of view the authentication process will be same as the current interaction where user provides his/her username/password to the CIPRES portal. At the CIPRES web server instead of directly authenticating the user against the userstore (or in addition to doing this) user can be authenticated and an access token for the user can be obtained using the OAuth 2.0 Resource Owner Password Grant Type. This access token can be sent back to the browser application where it can be cached for future use.
3. When user wants to invoke the REST API instead of providing the username and the password of the user now the access token can be provided in the HTTP headers and at the REST API the access token can be verified from the SciGaP IDP. To improve performance valid access tokens and corresponding user identities can be cached at the REST API.
The advantages of this approach are
1. User does not need to provide basic credentials when ever he/she wants to connect to REST API.
2. CIPRESS can leverage the existing features of the SciGaP IDP without re implementing a token based authorization delegation solution for Single-Sign-On. Although some effort is required to write a custom user store extension for connecting CIPRES user store to SciGaP IDP.
Also storing the OAuth Access Token in the web browser is not an issue as storing the basic credentials for the user because these access tokens are short lived.
Thanks.
On Mon, Jun 20, 2016 at 11:03 AM, Marru, Suresh <sm...@iu.edu>> wrote:
Sorry Terri, We dropped the ball on this.
Can you and Supun plan to have a hangout today and walk through all these steps? he and I are available from now.
Suresh
On Jun 20, 2016, at 10:57 AM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Hi again,
I think some of the IU team are experienced with oauth2, right? I could really use some advice regarding the question I asked below.
Thanks, Terri
________________________________
From: Schwartz, Terri [terri@sdsc.edu<ma...@sdsc.edu>]
Sent: Wednesday, June 15, 2016 5:18 PM
To: project@scigap.org<ma...@scigap.org>
Cc: dev@scigap.org<ma...@scigap.org>
Subject: RE: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Suresh,
Yes, that's exactly it.
Terri
________________________________
From: Marru, Suresh [smarru@iu.edu<ma...@iu.edu>]
Sent: Wednesday, June 15, 2016 4:26 PM
To: project@scigap.org<ma...@scigap.org>
Cc: dev@scigap.org<ma...@scigap.org>
Subject: Re: [SciGaP-Project] [SciGaP-Dev] oauth2 question
Hi Terri,
Just to be clear, is the javascript in the authorized portion of the web application? I mean is it safe to assume you will only get to this script after authentication?
Suresh
On Jun 15, 2016, at 5:46 PM, Schwartz, Terri <te...@sdsc.edu>> wrote:
Hi, during our face to face scigap meeting a couple of weeks ago, Suresh and Marlon asked about how I thought I might make use of identity management services. I couldn't think of the specifics then but I have a use case I want to ask about now.
I developed a REST service that I want to use in the Cipres web application. The rest service will be called via ajax from javascript on a page in the Cipres web application. I *don't* want the user to be prompted to "give permission"; I want that to happen automatically. I would just use basic auth over https except that there's no secure way to do that from javascript. It would be ok with me if Cipres authenticates with the REST service and then uses a custom mechanism (not oauth) to tell the rest api who the actual end user is.
Can someone tell me which oauth2 flow or grant type, if any, would be right for this?
Thanks,
Terri
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Project Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/project/.
--
You received this message because you are subscribed to the Google Groups "SciGaP Developer List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+unsubscribe@scigap.org<ma...@scigap.org>.
Visit this group at https://groups.google.com/a/scigap.org/group/dev/.
--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa
--
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa