Martin Flores
Research Software Developer
iRODS Consortium
Authenticating to iRODS
via OpenID Connect (OIDC)
November 12-17, 2023
Supercomputing 2023
Denver, CO
Overview
Authentication in iRODS
iRODS HTTP API
What is OAuth 2.0?
What is OpenID Connect?
How do they work together?
OAuth 2.0 Grant Flows
Implicit Grant
Client Credentials Grant
Authorization Code Grant
Of particular use for Confidential Clients
Resource Owner Password Credentials Grant
Demo Setup
OpenID Provider Configuration
HTTP API Configuration
...
"authentication": {
...
"oidc": {
"config_host": "127.0.0.1",
"port": 8080,
"uri": "/realms/test",
"client_id": "my_client_id",
"redirect_uri": "https://<domain>/irods-http/0.1.0/authenticate",
"state_timeout_in_seconds": 600
},
...
},
...
Additional OIDC Configuration
HTTP API OAuth/OIDC Flow
POST /irods-http/0.9.5/authenticate HTTP/1.1
Host: ...
User-Agent: ...
Accept: */*
Authorization: iRODS bV9jaHVjazpmZWVsc3NvZ29vZA==
POST /realms/test/protocol/openid-connect/token HTTP/1.1
Host: ...
User-Agent: ...
Accept: */*
Content-Length: 85
Content-Type: application/x-www-form-urlencoded
client_id=rods&grant_type=password&scope=openid&username=m_chuck&password=pass
{
...
"id_token":"eyJhbGciOiJSUzI1Ni...",
...
}
API Consumer Sends Authorization
HTTP API Forwards login to OP
OP Provides 'id_token'
HTTP API OAuth/OIDC Flow
{
"acr": "1",
"at_hash": "uVEs_Qa_PNiwjPI53B_xPw",
"aud": "rods",
"auth_time": 0,
"azp": "rods",
"email": "testmail@testing.test",
"email_verified": true,
"exp": 1685544256,
"family_name": "Mangione",
"given_name": "Chuck",
"iat": 1685543956,
"irods_username": "chuck",
"iss": "http://.../realms/test",
"jti": "b88e1681-b743-4e92-802e-cb7c74fb7739",
"name": "Chuck Mangione",
"preferred_username": "m_chuck",
"session_state": "6102608a-2e18-4d14-9273-344bde4851d2",
"sid": "6102608a-2e18-4d14-9273-344bde4851d2",
"sub": "8c7737cf-65fd-46a5-a54b-6ba45e574692",
"typ": "ID"
}
'id_token' claims
Demo Time!
Logging in as [m_chuck] with a password of [feelssogood].
Base64 encoded as [bV9jaHVjazpmZWVsc3NvZ29vZA==].
Running the command [curl -s -X POST -H "Authorization: iRODS $user_and_pass" 127.0.0.1:9000/irods-http/0.1.0/authenticate -v].
* Trying 127.0.0.1:9000...
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> POST /irods-http/0.1.0/authenticate HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/8.1.1
> Accept: */*
> Authorization: iRODS bV9jaHVjazpmZWVsc3NvZ29vZA==
>
< HTTP/1.1 200 OK
< Server: Boost.Beast/322
< Content-Type: text/plain
< Content-Length: 36
<
{ [36 bytes data]
* Connection #0 to host 127.0.0.1 left intact
Received the following token: [95d56783-1f0b-4e7b-8ece-598fcb37eea5].
Demo Time!
Looking at the collection [/tempZone/home/chuck].
Running the command [curl -s -G -H "authorization: Bearer $token" "127.0.0.1:9000/irods-http/0.1.0/collections" --data-urlencode "op=stat" --data-urlencode "lpath=$collection"].
Results:
{
"inheritance_enabled": false,
"irods_response": {
"error_code": 0
},
"modified_at": 1685554932,
"permissions": [
{
"name": "chuck",
"perm": "own",
"type": "rodsuser",
"zone": "tempZone"
}
],
"registered": true,
"type": "collection"
}
Demo Time!
Authorization Code Grant Demo Time!
Challenges
Considerations
Draft Specifications
References
Thank you!