Harry Kodden, SURF

Alan King, iRODS Consortium

February 14, 2024

TRiRODS

Chapel Hill, NC

Outline

• iRODS Authentication Working Group
• pam_interactive iRODS Authentication Plugin
• OIDC flow for authenticating with iRODS

iRODS Authentication Working Group - Origins

• Problem: PAM plugin for iRODS authentication is a single password prompt - does not allow for complex flows
• Proposed by SURF in 2020: develop a new iRODS authentication plugin for complex PAM configurations

iRODS Authentication Working Group - Plugin Framework

• Existing authentication plugins implemented only 5 strictly-ordered operations
• New plugin framework proposed JSON-based message passing interface with flexible operations
• Plugin framework was integrated in 4.3.0 (released June 2022)

pam_interactive

• SURF demonstrates pam_interactive plugin at iRODS UGM 2022
  • Simple username/password, two-factor, and token exchange shown
• Leverages new auth plugin framework by implementing the "conversation service" flow

pam_interactive - Basic Authentication Flow

pam_interactive - OIDC flow

• One of SURF's primary use cases is to authenticate iRODS users through OIDC
• The new authentication plugin framework and pam_interactive have enabled a CLI flow like this

pam_interactive - More Information

Programmable authentication workflows in iRODS (iRODS UGM 2022):

• https://irods.org/uploads/2022/Wolfsheimer-Cacciari-SURF-Programmable_authentication_workflows_in_iRODS-paper.pdf
• https://www.youtube.com/watch?v=wEKQgpPnGk8

irods_auth_plugin_pam_interactive codebase:

• https://github.com/irods/irods_auth_plugin_pam_interactive

iRODS Authentication Working Group:

• https://github.com/irods-contrib/irods_working_group_authentication