Harry Kodden, SURF
Alan King, iRODS Consortium
pam_interactive iRODS authentication plugin and OIDC
February 14, 2024
TRiRODS
Chapel Hill, NC
Outline
- iRODS Authentication Working Group
- pam_interactive iRODS Authentication Plugin
- OIDC flow for authenticating with iRODS
iRODS Authentication Working Group - Origins
- Problem: PAM plugin for iRODS authentication is a single password prompt - does not allow for complex flows
- Proposed by SURF in 2020: develop a new iRODS authentication plugin for complex PAM configurations
iRODS Authentication Working Group - Plugin Framework
- Existing authentication plugins implemented only 5 strictly-ordered operations
- New plugin framework proposed JSON-based message passing interface with flexible operations
- Plugin framework was integrated in 4.3.0 (released June 2022)
pam_interactive
- SURF demonstrates pam_interactive plugin at iRODS UGM 2022
- Simple username/password, two-factor, and token exchange shown
- Leverages new auth plugin framework by implementing the "conversation service" flow
pam_interactive - Basic Authentication Flow
pam_interactive - OIDC flow
- One of SURF's primary use cases is to authenticate iRODS users through OIDC
- The new authentication plugin framework and pam_interactive have enabled a CLI flow like this
pam_interactive - More Information
Programmable authentication workflows in iRODS (iRODS UGM 2022):
- https://irods.org/uploads/2022/Wolfsheimer-Cacciari-SURF-Programmable_authentication_workflows_in_iRODS-paper.pdf
- https://www.youtube.com/watch?v=wEKQgpPnGk8
irods_auth_plugin_pam_interactive codebase:
iRODS Authentication Working Group:
TRiRODS Feb 2024 - pam_interactive iRODS Authentication Plugin and OIDC
By Alan King
TRiRODS Feb 2024 - pam_interactive iRODS Authentication Plugin and OIDC
- 186