Harry Kodden, SURF

Alan King, iRODS Consortium

pam_interactive iRODS authentication plugin and OIDC

February 14, 2024

TRiRODS

Chapel Hill, NC

Outline

  • iRODS Authentication Working Group
  • pam_interactive iRODS Authentication Plugin
  • OIDC flow for authenticating with iRODS

iRODS Authentication Working Group - Origins

  • Problem: PAM plugin for iRODS authentication is a single password prompt - does not allow for complex flows
  • Proposed by SURF in 2020: develop a new iRODS authentication plugin for complex PAM configurations

iRODS Authentication Working Group - Plugin Framework

  • Existing authentication plugins implemented only 5 strictly-ordered operations
  • New plugin framework proposed JSON-based message passing interface with flexible operations
  • Plugin framework was integrated in 4.3.0 (released June 2022)

pam_interactive

  • SURF demonstrates pam_interactive plugin at iRODS UGM 2022
    • Simple username/password, two-factor, and token exchange shown
  • Leverages new auth plugin framework by implementing the "conversation service" flow

pam_interactive - Basic Authentication Flow

pam_interactive - OIDC flow

  • One of SURF's primary use cases is to authenticate iRODS users through OIDC
  • The new authentication plugin framework and pam_interactive have enabled a CLI flow like this

pam_interactive - More Information

Made with Slides.com