Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Kotabagi, Karan" <kk...@iu.edu>]

Hi All,


I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.


I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.


I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.


Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).


Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.


Regards

Karan

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Marru, Suresh" <sm...@iu.edu>]

Hi Karan,

The SEAGrid Rich Client to Airavata File Manager security handshake is over OAuth2 Protocol. Where as NextCloud KeyClock is through SAML2. So you have two options:

1) Explore a Native OAuth2 Authentication within NextCloud — this is the preferred option.

2) Write a SAML2 client code within Rich Client.


For 1, you should look at the discussion at https://nextcloud.com/blog/security-in-nextcloud-12-new-authentication-mechanisms/ and https://help.nextcloud.com/t/nc12-build-in-oauth2-client-authentification/14852

I suggest you ask on NextCloud mailing list if anything has changed in supporting native OAuth2 Client authentication.

Suresh

On May 23, 2018, at 2:14 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

​Hello Sudhakar,

Yes, it doesn't know anything with respect to the nextcloud and I am trying to set-up the same.

I wanted to use the existing authentication that is being carried out in the Seagrid-rich client to be utilized to login to the nextcloud server(which can be configured with keycloak), and understand the details with respect to the implementation of the existing authentication.

Regards
Karan
________________________________
From: Pamidighantam, Sudhakar <pa...@iu.edu>>
Sent: Wednesday, May 23, 2018 2:02 PM
To: Airavata Dev
Cc: Supun Nakandala; Kariyattin, Sachin; Marru, Suresh
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Karan:

SEAgrid rich client uses Keycloak authentication in general and should be same for file upload service. Currently it does not know anything about NextCloud.But you are working on it.

Is there some thing specific you want to know.

Thanks,
Sudhakar.
On May 23, 2018, at 12:34 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi Supun,

I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.

Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.

1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?

2>I looked into the following code:-
    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_storage_GuiFileTask.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=KGj8hrw2SFvtwdBNsJqIjkd2aYCrTiwsA-HvXnysD0s&e=>
    In this, the sftp session is getting authenticated with the oauth token.
In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).

3> The token is being received from the Airvata Manager at
     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_airavata_AiravataManager.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=dN40a0wWPT8hZWhlX91yv_f_hhxhE05V5eoki9abe0I&e=>
and I believe the token is set during the intial login.

Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?

Regards
Karan
________________________________
From: Kotabagi, Karan <kk...@iu.edu>>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org<ma...@airavata.apache.org>
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

@Sachin, @Supun,

Thanks for the information, I will look into the same.

Regards
Karan
________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/<https://urldefense.proofpoint.com/v2/url?u=https-3A__alexbilbie.com_guide-2Dto-2Doauth-2D2-2Dgrants_&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=e_NmsPBgg4FrngIgu980oSglwDtTKayE_eC8YVKxMzs&e=> contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1<https://urldefense.proofpoint.com/v2/url?u=https-3A__scholarworks.iu.edu_dspace_bitstream_handle_2022_21092_airavata-2Dsecurity-2Descience16.pdf-3Fsequence-3D1&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=pj-TUqyW9-pfVBf5X1YpclX2cIMn9565JdRc9HDfzH8&e=>

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_sachinkariyattin_NextCloud_wiki&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=rZ41gEnW54XBxSj8i4M-UThKD1eHt15IDgXZktPbuLY&e=>

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:
Hi All,

I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.

I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.

I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.

Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).

Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.

Regards
Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Kotabagi, Karan" <kk...@iu.edu>]

​Hello Sudhakar,


Yes, it doesn't know anything with respect to the nextcloud and I am trying to set-up the same.


I wanted to use the existing authentication that is being carried out in the Seagrid-rich client to be utilized to login to the nextcloud server(which can be configured with keycloak), and understand the details with respect to the implementation of the existing authentication.


Regards

Karan

________________________________
From: Pamidighantam, Sudhakar <pa...@iu.edu>
Sent: Wednesday, May 23, 2018 2:02 PM
To: Airavata Dev
Cc: Supun Nakandala; Kariyattin, Sachin; Marru, Suresh
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Karan:

SEAgrid rich client uses Keycloak authentication in general and should be same for file upload service. Currently it does not know anything about NextCloud.But you are working on it.

Is there some thing specific you want to know.

Thanks,
Sudhakar.
On May 23, 2018, at 12:34 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi Supun,

I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.

Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.

1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?

2>I looked into the following code:-
    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_storage_GuiFileTask.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=KGj8hrw2SFvtwdBNsJqIjkd2aYCrTiwsA-HvXnysD0s&e=>
    In this, the sftp session is getting authenticated with the oauth token.
In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).

3> The token is being received from the Airvata Manager at
     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_airavata_AiravataManager.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=dN40a0wWPT8hZWhlX91yv_f_hhxhE05V5eoki9abe0I&e=>
and I believe the token is set during the intial login.

Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?

Regards
Karan
________________________________
From: Kotabagi, Karan <kk...@iu.edu>>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org<ma...@airavata.apache.org>
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

@Sachin, @Supun,

Thanks for the information, I will look into the same.

Regards
Karan
________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/<https://urldefense.proofpoint.com/v2/url?u=https-3A__alexbilbie.com_guide-2Dto-2Doauth-2D2-2Dgrants_&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=e_NmsPBgg4FrngIgu980oSglwDtTKayE_eC8YVKxMzs&e=> contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1<https://urldefense.proofpoint.com/v2/url?u=https-3A__scholarworks.iu.edu_dspace_bitstream_handle_2022_21092_airavata-2Dsecurity-2Descience16.pdf-3Fsequence-3D1&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=pj-TUqyW9-pfVBf5X1YpclX2cIMn9565JdRc9HDfzH8&e=>

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_sachinkariyattin_NextCloud_wiki&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=rZ41gEnW54XBxSj8i4M-UThKD1eHt15IDgXZktPbuLY&e=>

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:
Hi All,

I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.

I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.

I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.

Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).

Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.

Regards
Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Pamidighantam, Sudhakar" <pa...@iu.edu>]

Karan:

SEAgrid rich client uses Keycloak authentication in general and should be same for file upload service. Currently it does not know anything about NextCloud.But you are working on it.

Is there some thing specific you want to know.

Thanks,
Sudhakar.
On May 23, 2018, at 12:34 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi Supun,

I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.

Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.

1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?

2>I looked into the following code:-
    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_storage_GuiFileTask.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=KGj8hrw2SFvtwdBNsJqIjkd2aYCrTiwsA-HvXnysD0s&e=>
    In this, the sftp session is getting authenticated with the oauth token.
In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).

3> The token is being received from the Airvata Manager at
     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SciGaP_seagrid-2Drich-2Dclient_blob_master_src_main_java_org_seagrid_desktop_connectors_airavata_AiravataManager.java&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=dN40a0wWPT8hZWhlX91yv_f_hhxhE05V5eoki9abe0I&e=>
and I believe the token is set during the intial login.

Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?

Regards
Karan
________________________________
From: Kotabagi, Karan <kk...@iu.edu>>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org<ma...@airavata.apache.org>
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

@Sachin, @Supun,

Thanks for the information, I will look into the same.

Regards
Karan
________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/<https://urldefense.proofpoint.com/v2/url?u=https-3A__alexbilbie.com_guide-2Dto-2Doauth-2D2-2Dgrants_&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=e_NmsPBgg4FrngIgu980oSglwDtTKayE_eC8YVKxMzs&e=> contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1<https://urldefense.proofpoint.com/v2/url?u=https-3A__scholarworks.iu.edu_dspace_bitstream_handle_2022_21092_airavata-2Dsecurity-2Descience16.pdf-3Fsequence-3D1&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=pj-TUqyW9-pfVBf5X1YpclX2cIMn9565JdRc9HDfzH8&e=>

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_sachinkariyattin_NextCloud_wiki&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=MHiqdWK8XhH0q9z3CNwPncJXwbe2U-jRufk9VnVTRww&m=yYrybemNnIoqfvivV52KyOLjdvT9-dCD-R5-q2X-LOo&s=rZ41gEnW54XBxSj8i4M-UThKD1eHt15IDgXZktPbuLY&e=>

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:
Hi All,

I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.

I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.

I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.

Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).

Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.

Regards
Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

[Supun Nakandala <su...@gmail.com>]

Yes that is a possibility. But that will require a significant integration
between those components and NextCloud. I don't know how flexible NextCloud
will be. Maybe Karan can shed some insight.


On Wed, May 23, 2018 at 8:29 PM, Marru, Suresh <sm...@iu.edu> wrote:

> Hi Supun,
>
> Yes there is and I agree we need a complex authorization mechanism. My
> tentative thinking is to integrate with replica catalog and sharing service
> so we enforce data sharing at API level. Any other ideas?
>
> Suresh
>
>
> On May 23, 2018, at 10:26 PM, Supun Nakandala <su...@gmail.com>
> wrote:
>
> @Karan, @Suresh
>
> Is there a plan to enable data sharing at the raw file level using
> NextCloud? If so we may need a more complex authorization mechanism.
>
> On Wed, May 23, 2018 at 3:07 PM, Kotabagi, Karan <kk...@iu.edu> wrote:
>
>> @Supun, @Suresh and Sudhakar,
>>
>>
>> Thanks!, for your inputs, I will have more questions moving ahead.
>>
>>
>> Regards
>>
>> Karan​
>> ------------------------------
>> *From:* Supun Nakandala <su...@gmail.com>
>> *Sent:* Wednesday, May 23, 2018 4:42 PM
>> *To:* Kotabagi, Karan
>>
>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
>> Airavata
>>
>> Hi Karan,
>>
>> On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <kk...@iu.edu> wrote:
>>
>>> Hi Supun,
>>>
>>>
>>> I have followed the steps that Sachin gave and was able to configure the
>>> nextcloud with the keycloak server locally. The  nextcloud interface will
>>> re-direct to the keycloak server to authenticate with the username and
>>> password.
>>>
>>>
>>> Since, we have a file upload service code that will upload the file into
>>> the nextcloud without the keycloak authentication, I have few of the
>>> following questions that I need your help with respect to the seagrid-rich
>>> client, we need to integrate this in such a way that the fileupload service
>>> will get authenticated with the keycloak server and then proceed to be
>>> upload the file.
>>>
>>>
>>> 1>Does the seagrid-rich client is currently configured to be
>>> authenticated with the keycloak server?
>>>
>>> Yes. In the login process seagrid client obtains an access token and it
>>> uses this access token as the password for the SFTP server. The SFTP server
>>> (Apache Mina implementation) verifies this access token from SFTP server
>>> end. https://github.com/SciGaP/airavata-file-manager/blob/
>>> master/src/main/java/org/apache/airavata/filemgr/AuthenticationMgr.java.
>>> You can do something similar in NextCloud. I hope NextCloud would support
>>> some form of pluggable authentication model (PAM).
>>>
>>> 2>I looked into the following code:-
>>>
>>>     *https://github.com/SciGaP/seagrid-rich-client/blob/mast
>>> er/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java
>>>
>>>     In this, the sftp session is getting authenticated with the oauth
>>> token.
>>>
>>> In the same way, is it possible to use the existing authentication
>>> mechanism to get the nextcloud authenticated? (by configuring the nextcloud
>>> login endpoint as the client in the existing keycloak server).
>>>
>>> The client should be the desktop client. Not the NextCloud server.
>>> NextCloud server will be the resource which has to enforce authentication
>>> and authorization using the access token.
>>>
>>> 3> The token is being received from the Airvata Manager at
>>>
>>>      *https://github.com/SciGaP/seagrid-rich-client/blob/master/
>>> src/main/java/org/seagrid/desktop/connectors/airavata/Airava
>>> taManager.java
>>>
>>> and I believe the token is set during the intial login.
>>>
>>> Yes you are correct.
>>>
>>> Do you have any more of the details that I can look into to integrate
>>> the existing authentication mechanism in seagrid-rich client to login to
>>> the nextcloud server?
>>>
>>>
>>> Regards
>>>
>>> Karan
>>> ------------------------------
>>> *From:* Kotabagi, Karan <kk...@iu.edu>
>>> *Sent:* Saturday, May 19, 2018 11:03 AM
>>> *To:* Kariyattin, Sachin; Supun Nakandala
>>> *Cc:* Marru, Suresh; dev@airavata.apache.org
>>>
>>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
>>> Airavata
>>>
>>>
>>> @Sachin, @Supun,
>>>
>>>
>>> Thanks for the information, I will look into the same.
>>>
>>>
>>> Regards
>>>
>>> Karan
>>> ------------------------------
>>> *From:* Supun Nakandala <su...@gmail.com>
>>> *Sent:* Saturday, May 19, 2018 12:07 AM
>>> *To:* dev
>>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
>>> Airavata
>>>
>>> Hi Karan,
>>>
>>> In my opinion, the ideal approach to use in this scenario would be OAuth
>>> based authorization. KeyCloak supports OAuth and you can register a service
>>> provider and use that to give a prompt to the user to authorize the desktop
>>> client to communicate with the NextCloud server.
>>> After the user authorizes the client, KeyCloak will issue an access
>>> token which can be used on behalf of the user. NextCloud server will have
>>> to use this token and get it validated from the KeyCloak server to ensure
>>> the token bearer is authorized to access the NextCloud server.
>>>
>>> For obtaining this access token there several grant flows in OAuth that
>>> you can use. Based on the type of the client and the level of security you
>>> can decide which grant flow to use.
>>>
>>> https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary
>>> of OAuth grant flows. I think the implicit grant flow will be most
>>> appropriate in this scenario.
>>>
>>>
>>>
>>> [1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/2
>>> 1092/airavata-security-escience16.pdf?sequence=1
>>>
>>> On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sachin9675@gmail.com
>>> > wrote:
>>>
>>>> Hi Karan,
>>>>
>>>> The following wiki lists the basic steps to configure keycloak with
>>>> NextCloud
>>>>
>>>> https://github.com/sachinkariyattin/NextCloud/wiki
>>>>
>>>> This can get you started
>>>>
>>>> On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>>
>>>>> I am working with the following Seagrid-rich client to replace the
>>>>> file upload mechanism with the next cloud instead of the SFTP.
>>>>>
>>>>>
>>>>> I have the different nextcloud API code set-up  that uploads the file
>>>>> to the Nextcloud server that is set-up locally in Ubuntu. At present the
>>>>> password is hardcoded, so this should be authenticated with the help of
>>>>> keycloak as discussed with Suresh.
>>>>>
>>>>>
>>>>> I have discussed the things with Sachin and I have received some
>>>>> inputs to proceed with keycloak authentication and after that I can proceed
>>>>> to implement the same with the nextcloud API, after this is successful I
>>>>> need to integrate nextcloud API  with the Seagrid-rich client.
>>>>>
>>>>>
>>>>> Further steps will also include to set-up Nextcloud in the existing
>>>>> file server and point the upload of the input files from the client to the
>>>>> same location where the existing files are saved (This needs to be further
>>>>> looked into with all the configurations).
>>>>>
>>>>>
>>>>> Any suggestions or inputs to proceed with the keycloak authentication
>>>>> mechanism to work instead of the password would be appreciated.
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Karan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> *Regards, Sachin Kariyattin *
>>>>
>>>
>>>
>>
>
>

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Marru, Suresh" <sm...@iu.edu>]

Hi Supun,

Yes there is and I agree we need a complex authorization mechanism. My tentative thinking is to integrate with replica catalog and sharing service so we enforce data sharing at API level. Any other ideas?

Suresh

On May 23, 2018, at 10:26 PM, Supun Nakandala <su...@gmail.com>> wrote:

@Karan, @Suresh

Is there a plan to enable data sharing at the raw file level using NextCloud? If so we may need a more complex authorization mechanism.

On Wed, May 23, 2018 at 3:07 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

@Supun, @Suresh and Sudhakar,


Thanks!, for your inputs, I will have more questions moving ahead.


Regards

Karan​

________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Wednesday, May 23, 2018 4:42 PM
To: Kotabagi, Karan

Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi Supun,


I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.


Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.


1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?

Yes. In the login process seagrid client obtains an access token and it uses this access token as the password for the SFTP server. The SFTP server (Apache Mina implementation) verifies this access token from SFTP server end. https://github.com/SciGaP/airavata-file-manager/blob/master/src/main/java/org/apache/airavata/filemgr/AuthenticationMgr.java. You can do something similar in NextCloud. I hope NextCloud would support some form of pluggable authentication model (PAM).

2>I looked into the following code:-

    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java

    In this, the sftp session is getting authenticated with the oauth token.

In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).

The client should be the desktop client. Not the NextCloud server. NextCloud server will be the resource which has to enforce authentication and authorization using the access token.

3> The token is being received from the Airvata Manager at

     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java

and I believe the token is set during the intial login.

Yes you are correct.

Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?


Regards

Karan

________________________________
From: Kotabagi, Karan <kk...@iu.edu>>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org<ma...@airavata.apache.org>

Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata


@Sachin, @Supun,


Thanks for the information, I will look into the same.


Regards

Karan

________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi All,


I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.


I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.


I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.


Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).


Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.


Regards

Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

[Supun Nakandala <su...@gmail.com>]

@Karan, @Suresh

Is there a plan to enable data sharing at the raw file level using
NextCloud? If so we may need a more complex authorization mechanism.

On Wed, May 23, 2018 at 3:07 PM, Kotabagi, Karan <kk...@iu.edu> wrote:

> @Supun, @Suresh and Sudhakar,
>
>
> Thanks!, for your inputs, I will have more questions moving ahead.
>
>
> Regards
>
> Karan​
> ------------------------------
> *From:* Supun Nakandala <su...@gmail.com>
> *Sent:* Wednesday, May 23, 2018 4:42 PM
> *To:* Kotabagi, Karan
>
> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
> Airavata
>
> Hi Karan,
>
> On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <kk...@iu.edu> wrote:
>
>> Hi Supun,
>>
>>
>> I have followed the steps that Sachin gave and was able to configure the
>> nextcloud with the keycloak server locally. The  nextcloud interface will
>> re-direct to the keycloak server to authenticate with the username and
>> password.
>>
>>
>> Since, we have a file upload service code that will upload the file into
>> the nextcloud without the keycloak authentication, I have few of the
>> following questions that I need your help with respect to the seagrid-rich
>> client, we need to integrate this in such a way that the fileupload service
>> will get authenticated with the keycloak server and then proceed to be
>> upload the file.
>>
>>
>> 1>Does the seagrid-rich client is currently configured to be
>> authenticated with the keycloak server?
>>
>> Yes. In the login process seagrid client obtains an access token and it
>> uses this access token as the password for the SFTP server. The SFTP server
>> (Apache Mina implementation) verifies this access token from SFTP server
>> end. https://github.com/SciGaP/airavata-file-manager/
>> blob/master/src/main/java/org/apache/airavata/filemgr/
>> AuthenticationMgr.java. You can do something similar in NextCloud. I
>> hope NextCloud would support some form of pluggable authentication model
>> (PAM).
>>
>> 2>I looked into the following code:-
>>
>>     *https://github.com/SciGaP/seagrid-rich-client/blob/
>> master/src/main/java/org/seagrid/desktop/connectors/storage/
>> GuiFileTask.java
>>
>>     In this, the sftp session is getting authenticated with the oauth
>> token.
>>
>> In the same way, is it possible to use the existing authentication
>> mechanism to get the nextcloud authenticated? (by configuring the nextcloud
>> login endpoint as the client in the existing keycloak server).
>>
>> The client should be the desktop client. Not the NextCloud server.
>> NextCloud server will be the resource which has to enforce authentication
>> and authorization using the access token.
>>
>> 3> The token is being received from the Airvata Manager at
>>
>>      *https://github.com/SciGaP/seagrid-rich-client/blob/master/
>> src/main/java/org/seagrid/desktop/connectors/airavata/
>> AiravataManager.java
>>
>> and I believe the token is set during the intial login.
>>
>> Yes you are correct.
>>
>> Do you have any more of the details that I can look into to integrate the
>> existing authentication mechanism in seagrid-rich client to login to
>> the nextcloud server?
>>
>>
>> Regards
>>
>> Karan
>> ------------------------------
>> *From:* Kotabagi, Karan <kk...@iu.edu>
>> *Sent:* Saturday, May 19, 2018 11:03 AM
>> *To:* Kariyattin, Sachin; Supun Nakandala
>> *Cc:* Marru, Suresh; dev@airavata.apache.org
>>
>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
>> Airavata
>>
>>
>> @Sachin, @Supun,
>>
>>
>> Thanks for the information, I will look into the same.
>>
>>
>> Regards
>>
>> Karan
>> ------------------------------
>> *From:* Supun Nakandala <su...@gmail.com>
>> *Sent:* Saturday, May 19, 2018 12:07 AM
>> *To:* dev
>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache
>> Airavata
>>
>> Hi Karan,
>>
>> In my opinion, the ideal approach to use in this scenario would be OAuth
>> based authorization. KeyCloak supports OAuth and you can register a service
>> provider and use that to give a prompt to the user to authorize the desktop
>> client to communicate with the NextCloud server.
>> After the user authorizes the client, KeyCloak will issue an access token
>> which can be used on behalf of the user. NextCloud server will have to use
>> this token and get it validated from the KeyCloak server to ensure the
>> token bearer is authorized to access the NextCloud server.
>>
>> For obtaining this access token there several grant flows in OAuth that
>> you can use. Based on the type of the client and the level of security you
>> can decide which grant flow to use.
>>
>> https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary
>> of OAuth grant flows. I think the implicit grant flow will be most
>> appropriate in this scenario.
>>
>>
>>
>> [1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/2
>> 1092/airavata-security-escience16.pdf?sequence=1
>>
>> On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>
>> wrote:
>>
>>> Hi Karan,
>>>
>>> The following wiki lists the basic steps to configure keycloak with
>>> NextCloud
>>>
>>> https://github.com/sachinkariyattin/NextCloud/wiki
>>>
>>> This can get you started
>>>
>>> On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>>
>>>> I am working with the following Seagrid-rich client to replace the file
>>>> upload mechanism with the next cloud instead of the SFTP.
>>>>
>>>>
>>>> I have the different nextcloud API code set-up  that uploads the file
>>>> to the Nextcloud server that is set-up locally in Ubuntu. At present the
>>>> password is hardcoded, so this should be authenticated with the help of
>>>> keycloak as discussed with Suresh.
>>>>
>>>>
>>>> I have discussed the things with Sachin and I have received some inputs
>>>> to proceed with keycloak authentication and after that I can proceed
>>>> to implement the same with the nextcloud API, after this is successful I
>>>> need to integrate nextcloud API  with the Seagrid-rich client.
>>>>
>>>>
>>>> Further steps will also include to set-up Nextcloud in the existing
>>>> file server and point the upload of the input files from the client to the
>>>> same location where the existing files are saved (This needs to be further
>>>> looked into with all the configurations).
>>>>
>>>>
>>>> Any suggestions or inputs to proceed with the keycloak authentication
>>>> mechanism to work instead of the password would be appreciated.
>>>>
>>>>
>>>> Regards
>>>>
>>>> Karan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> *Regards, Sachin Kariyattin *
>>>
>>
>>
>

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Kotabagi, Karan" <kk...@iu.edu>]

@Supun, @Suresh and Sudhakar,


Thanks!, for your inputs, I will have more questions moving ahead.


Regards

Karan​

________________________________
From: Supun Nakandala <su...@gmail.com>
Sent: Wednesday, May 23, 2018 4:42 PM
To: Kotabagi, Karan
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi Supun,


I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.


Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.


1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?

Yes. In the login process seagrid client obtains an access token and it uses this access token as the password for the SFTP server. The SFTP server (Apache Mina implementation) verifies this access token from SFTP server end. https://github.com/SciGaP/airavata-file-manager/blob/master/src/main/java/org/apache/airavata/filemgr/AuthenticationMgr.java. You can do something similar in NextCloud. I hope NextCloud would support some form of pluggable authentication model (PAM).

2>I looked into the following code:-

    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java

    In this, the sftp session is getting authenticated with the oauth token.

In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).

The client should be the desktop client. Not the NextCloud server. NextCloud server will be the resource which has to enforce authentication and authorization using the access token.

3> The token is being received from the Airvata Manager at

     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java

and I believe the token is set during the intial login.

Yes you are correct.

Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?


Regards

Karan

________________________________
From: Kotabagi, Karan <kk...@iu.edu>>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org<ma...@airavata.apache.org>

Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata


@Sachin, @Supun,


Thanks for the information, I will look into the same.


Regards

Karan

________________________________
From: Supun Nakandala <su...@gmail.com>>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi All,


I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.


I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.


I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.


Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).


Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.


Regards

Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Kotabagi, Karan" <kk...@iu.edu>]

Hi Supun,


I have followed the steps that Sachin gave and was able to configure the nextcloud with the keycloak server locally. The  nextcloud interface will re-direct to the keycloak server to authenticate with the username and password.


Since, we have a file upload service code that will upload the file into the nextcloud without the keycloak authentication, I have few of the following questions that I need your help with respect to the seagrid-rich client, we need to integrate this in such a way that the fileupload service will get authenticated with the keycloak server and then proceed to be upload the file.


1>Does the seagrid-rich client is currently configured to be authenticated with the keycloak server?



2>I looked into the following code:-

    *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java

    In this, the sftp session is getting authenticated with the oauth token.

In the same way, is it possible to use the existing authentication mechanism to get the nextcloud authenticated? (by configuring the nextcloud login endpoint as the client in the existing keycloak server).


3> The token is being received from the Airvata Manager at

     *https://github.com/SciGaP/seagrid-rich-client/blob/master/src/main/java/org/seagrid/desktop/connectors/airavata/AiravataManager.java

and I believe the token is set during the intial login.


Do you have any more of the details that I can look into to integrate the existing authentication mechanism in seagrid-rich client to login to the nextcloud server?


Regards

Karan

________________________________
From: Kotabagi, Karan <kk...@iu.edu>
Sent: Saturday, May 19, 2018 11:03 AM
To: Kariyattin, Sachin; Supun Nakandala
Cc: Marru, Suresh; dev@airavata.apache.org
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata


@Sachin, @Supun,


Thanks for the information, I will look into the same.


Regards

Karan

________________________________
From: Supun Nakandala <su...@gmail.com>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi All,


I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.


I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.


I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.


Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).


Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.


Regards

Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

["Kotabagi, Karan" <kk...@iu.edu>]

@Sachin, @Supun,


Thanks for the information, I will look into the same.


Regards

Karan

________________________________
From: Supun Nakandala <su...@gmail.com>
Sent: Saturday, May 19, 2018 12:07 AM
To: dev
Subject: Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth based authorization. KeyCloak supports OAuth and you can register a service provider and use that to give a prompt to the user to authorize the desktop client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token which can be used on behalf of the user. NextCloud server will have to use this token and get it validated from the KeyCloak server to ensure the token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you can use. Based on the type of the client and the level of security you can decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary of OAuth grant flows. I think the implicit grant flow will be most appropriate in this scenario.



[1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>> wrote:
Hi Karan,

The following wiki lists the basic steps to configure keycloak with NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu>> wrote:

Hi All,


I am working with the following Seagrid-rich client to replace the file upload mechanism with the next cloud instead of the SFTP.


I have the different nextcloud API code set-up  that uploads the file to the Nextcloud server that is set-up locally in Ubuntu. At present the password is hardcoded, so this should be authenticated with the help of keycloak as discussed with Suresh.


I have discussed the things with Sachin and I have received some inputs to proceed with keycloak authentication and after that I can proceed to implement the same with the nextcloud API, after this is successful I need to integrate nextcloud API  with the Seagrid-rich client.


Further steps will also include to set-up Nextcloud in the existing file server and point the upload of the input files from the client to the same location where the existing files are saved (This needs to be further looked into with all the configurations).


Any suggestions or inputs to proceed with the keycloak authentication mechanism to work instead of the password would be appreciated.


Regards

Karan







--
Regards,
Sachin Kariyattin

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

[Supun Nakandala <su...@gmail.com>]

Hi Karan,

In my opinion, the ideal approach to use in this scenario would be OAuth
based authorization. KeyCloak supports OAuth and you can register a service
provider and use that to give a prompt to the user to authorize the desktop
client to communicate with the NextCloud server.
After the user authorizes the client, KeyCloak will issue an access token
which can be used on behalf of the user. NextCloud server will have to use
this token and get it validated from the KeyCloak server to ensure the
token bearer is authorized to access the NextCloud server.

For obtaining this access token there several grant flows in OAuth that you
can use. Based on the type of the client and the level of security you can
decide which grant flow to use.

https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary of
OAuth grant flows. I think the implicit grant flow will be most appropriate
in this scenario.



[1] -
https://scholarworks.iu.edu/dspace/bitstream/handle/2022/21092/airavata-security-escience16.pdf?sequence=1

On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sa...@gmail.com>
wrote:

> Hi Karan,
>
> The following wiki lists the basic steps to configure keycloak with
> NextCloud
>
> https://github.com/sachinkariyattin/NextCloud/wiki
>
> This can get you started
>
> On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu> wrote:
>
>> Hi All,
>>
>>
>> I am working with the following Seagrid-rich client to replace the file
>> upload mechanism with the next cloud instead of the SFTP.
>>
>>
>> I have the different nextcloud API code set-up  that uploads the file to
>> the Nextcloud server that is set-up locally in Ubuntu. At present the
>> password is hardcoded, so this should be authenticated with the help of
>> keycloak as discussed with Suresh.
>>
>>
>> I have discussed the things with Sachin and I have received some inputs
>> to proceed with keycloak authentication and after that I can proceed
>> to implement the same with the nextcloud API, after this is successful I
>> need to integrate nextcloud API  with the Seagrid-rich client.
>>
>>
>> Further steps will also include to set-up Nextcloud in the existing file
>> server and point the upload of the input files from the client to the same
>> location where the existing files are saved (This needs to be further
>> looked into with all the configurations).
>>
>>
>> Any suggestions or inputs to proceed with the keycloak authentication
>> mechanism to work instead of the password would be appreciated.
>>
>>
>> Regards
>>
>> Karan
>>
>>
>>
>>
>>
>>
>
>
> --
>
>
> *Regards,Sachin Kariyattin*
>

Re: Gsoc 2018 - Integration of the Nextcloud with Apache Airavata

[Sachin Kariyattin <sa...@gmail.com>]

Hi Karan,

The following wiki lists the basic steps to configure keycloak with
NextCloud

https://github.com/sachinkariyattin/NextCloud/wiki

This can get you started

On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kk...@iu.edu> wrote:

> Hi All,
>
>
> I am working with the following Seagrid-rich client to replace the file
> upload mechanism with the next cloud instead of the SFTP.
>
>
> I have the different nextcloud API code set-up  that uploads the file to
> the Nextcloud server that is set-up locally in Ubuntu. At present the
> password is hardcoded, so this should be authenticated with the help of
> keycloak as discussed with Suresh.
>
>
> I have discussed the things with Sachin and I have received some inputs to
> proceed with keycloak authentication and after that I can proceed
> to implement the same with the nextcloud API, after this is successful I
> need to integrate nextcloud API  with the Seagrid-rich client.
>
>
> Further steps will also include to set-up Nextcloud in the existing file
> server and point the upload of the input files from the client to the same
> location where the existing files are saved (This needs to be further
> looked into with all the configurations).
>
>
> Any suggestions or inputs to proceed with the keycloak authentication
> mechanism to work instead of the password would be appreciated.
>
>
> Regards
>
> Karan
>
>
>
>
>
>


-- 


*Regards,Sachin Kariyattin*