Skip to main content
IT Unconference

WebAuth. What next?

Proposed by Booker Bense

Notes

WebAuth -- What next?
41 attendees

Led by Booker Bense, SLAC

Manages SLAC's WebAuth port
 

Suggestions

OAUTH --> Skin -- as a service to WebAuth

Use cases and implementation

History of Web Authentication

API Authentication -- password over SSL

OF1 --> required verified signature, noone could make it work

crypto is hard

OF2 --> use https for everything, another way for doing API authentication

authenticating people in apps, that aren't browsers

happened over the last 5-8 years, OF2 is the way most people use API authentication. You need to have clients act on behalf of people

WebAuth never tells you no. It just tells you where to go.

APIs tell you no, sod off

OpenID experiment -- have a blog and authenticate, but nobody understands URLs, only email addresses... no trust or anything

The brand caught on, then somebody came out with OpenID Connect

Facebook and Google is using it

The future is OpenID Connect

Opinion is to use OpenID Connect instead of WebAuth

There is an OAUTH server on campus

OAUTH 2 used by Twitter and Facebook -- "Do you want ______ to have access to your photos, friends, etc?".

Monitor a website or application from end to end

Instead of authenticating a person, need to authenticate a machine

Recommend -- use Drupal for authentication, but doesn't replicate going through WebAuth

One advantage of going through Sammel is authenticate everything

Most systems use UserID/SUNet ID to authenticate

We don't have granularity... people need to have access to certain things, not everything. Are you in or out vs. what can you access or not?

Would you applications know enough what to do with remote users?

What else doesn't work?

One thing missing is a link between SUNet ID and password and passing information over

Enforce two-factor within SAML instead of VPN in SoM -- not a burning issue, but being thought about

Any technical reason to treat services differently?

Would like to have a SUNet user "iso-scanning" to do scans to get basic authentication?

There are some places that allow it. Test account setup requires a lot of work, but low on a list

Edge Case Webauth -- hashmark in URL. If user hasn't authenticated, page crashes. WebAuth can't send user to hashmarked URL.

Hashmark is evil... why even using it?

16 - OpenID Connect

9 - Force 2-Step via SAML

13 - Support for system users in WebAuth

4 - Packaging (Non-Debian)

16 - Test Accounts

Priority from the community (top 2):

Test Accounts

OpenID Connect