Kory Draughn, Chief Technologist

Martin Flores, Software Developer

iRODS Consortium

June 17-20, 2025

iRODS User Group Meeting 2025

Durham, NC

Updates since UGM 2023

v0.1.0

• 88 issues closed - 10 bugs, 57 enhancements

v0.2.0

• 57 issues closed - 11 bugs, 25 enhancements
• Simplified OIDC configuration
• Improved separation between HTTP status codes and iRODS status codes
• Improved API documentation
• Improved API usage by constraining input requirements
• Improved stability
• Configuration validation on server startup

v0.3.0

• 6 issues closed - 1 bug, 4 enhancements
• Improved support for OIDC - Protected Resource mode
• Improved support for TLS between HTTP API and iRODS server

OAuth & OIDC in v0.3.0

• Three Major Features
  • OAuth 2.0 Confidential Client
  • Alternate User Mapping
  • HTTP API as an OAuth 2.0 Protected Resource
• Link to PR
  • https://github.com/irods/irods_client_http_api/pull/252

User Mapping - Overview

• Abstracted Mapping of JWTs to iRODS users
• Previously built-in mapping now plugins
  • user_attribute_mapping -> libirods_http_api_plugin-local_file.so
  • irods_user_claim -> libirods_http_api_plugin-user_claim.so
• Flexible mapping
  • e.g. query an external service for the mappings
    

User Mapping - Overview

User Mapping - Plugin Interface

• Simple C interface
• Full documentation in interface.h

User Mapping - Local File Configuration Example

Old Configuration

New Configuration

User Mapping - Local File Configuration Example

Text

Local File Mapping Example

User Mapping User Claim Configuration Example

Old Configuration

New Configuration

Local JWT Access Token Validation

Local JWT Access Token Validation

• Validate Tokens locally using JWKs
• Similar to access token introspection
• Retrieve JWKs on first validation attempt
  • Minimal communication to OpenID Provider
• Support for more OpenID Providers

Local JWT Access Token Validation - Supported Algorithms

Table in Section 3.1 from JWA RFC 7518

Local JWT Access Token Validation - Nonstandard Behavior

• Some OpenID providers may not use client_secret for symmetric ID Tokens
  • Allow for non-standard client secrets (nonstandard_id_token_secret)
• JWT Profile for OAuth 2.0 Access Tokens (RFC 9068)
  • Allow for "jwt" vs strictly "at+jwt" in "typ" header

HTTP API as an OAuth 2.0 Protected Resource

Example of Protected Resource Communications

HTTP API Local Validation 

Example of Local Validation

HTTP API Local Validation 

Demo

Future Improvements

• Encrypted JWTs
  • Depends on jwt-cpp library
• Fix timeout issue on some Providers
• Depend on OAuth 2.0 specs only
  • If enough providers support RFC 8414
• Allow configurable Access Token inspection
• Remove Client Mode
• Re-retrieve JWKs when possibly out of date
• Community suggestions

References

• OAuth 2.0
  • https://www.rfc-editor.org/rfc/rfc6749
• OpenID Connect Core
  • https://openid.net/specs/openid-connect-core-1_0.html
• OpenID Connect Client Discovery
  • http://openid.net/specs/openid-connect-discovery-1_0.html
• OAuth 2.1 Draft
  • https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13
• Best Current Practice for OAuth 2.0 Security
  • https://datatracker.ietf.org/doc/html/rfc9700
• OAuth 2.0 Token Introspection
  • https://datatracker.ietf.org/doc/html/rfc7662

References

• OAuth 2.0 Authorization Server Metadata
  • https://datatracker.ietf.org/doc/html/rfc8414
• JSON Web Key (JWK)
  • https://www.rfc-editor.org/rfc/rfc7517.html
• JSON Web Algorithms (JWA)
  • https://www.rfc-editor.org/rfc/rfc7518.html
• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
  • https://www.rfc-editor.org/rfc/rfc9068.html
• JSON Web Encryption (JWE)
  • https://www.rfc-editor.org/rfc/rfc7516.html
• JSON Web Signature (JWS)
  • https://www.rfc-editor.org/rfc/rfc7515.html

OAuth 2.0 Confidential Client

• OAuth 2.0 Client Authentication
  • Currently Support Password Based Authentication
  • Both Client and Protected Resource modes supported

Alternate User Mapping

• Previously required mapping in OpenID Provider
• Provide mapping in configuration file

Alternate User Mapping

Text

User Mapping Example

Alternate User Mapping

• Protected Resource Mode
  • Map via Introspection Endpoint
• Client Mode
  • Map via OpenID Connect ID Token
• Information received dependent on configuration

Alternate User Mapping

Text

Token Introspection Example

HTTP API as an OAuth 2.0 Protected Resource

• Removes HTTP API from OAuth authentication flows
  • Simplifies Code Executed
  • Streamlines Integration with OpenID Provider
• Only handle Access Token
• Currently Supports OAuth 2.0 Introspection Endpoint

HTTP API as an OAuth 2.0 Protected Resource

Example of Protected Resource Communications

Draft Specifications

• OAuth 2.0 Security Best Practices Draft (Work in Progress)
  • Resource Owner Password Credentials MUST NOT be used 
• OAuth 2.1 Draft (Work in Progress)
  • Resource Owner Password Credentials Omitted
  • Removal of Implicit Grant

References

• OAuth 2.0
  • https://www.rfc-editor.org/rfc/rfc6749
• OpenID Connect Core
  • https://openid.net/specs/openid-connect-core-1_0.html
• OpenID Connect Client Discovery
  • http://openid.net/specs/openid-connect-discovery-1_0.html
• OAuth 2.1 Draft
  • https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11
• OAuth 2.0 Security Best Current Practice Draft
  • https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-27
• OAuth 2.0 Token Introspection
  • https://datatracker.ietf.org/doc/html/rfc7662

Future Work

High Priority

• Make write operation web-friendly
• Log client IP or other identifier(s) to distinguish users in log output

Medium Priority

• Externalize OIDC user mapping
• Update to use 4.3.2 GenQuery2 API
• Implement missing iRODS API operations

Considering

• Status / Cancellation operations for active transfers
• Extending the lifetime of Basic Authentication tokens on use
• Using API documentation generation tool

Thank you!

Questions?