Closed Charlotte-Holt closed 9 months ago
@lauracowen I can't access either of the box notes above- the second appears to be expired and I don't have permission to the first- if another link is available can you share with me? The KC resources are helpful but I need to know what is specific to OL. I'm going to work through the Securing a web application
guide, which should help as well.
Oops, sorry. The first was to the Intro to Security MP4 video and the second is the slides to that video. You can find them both in here: https://ibm.box.com/s/wokyhx7j1yr8883ehpdcnj2irzvao1xx (intranet only - sorry, the external links now expire quickly). The presentation was given to customers and anyone interested at the end of last year, I think.
Worth watching the intro to security video to get a general overview of what liberty security is about. Most of it is relevant to cloud deployments (though it doesn't specifically talk about that).
Draft up for review at https://draft-openlibertyio.mybluemix.net/docs/ref/general/#authentication.html
Awaiting links to other docs (SSO topics) currently in development Needs a diagram
Added suggested edits from Bruce Tiffany and put in a diagram mock-up. Diagram will need to be cleaned up once the content is approved
@dmuelle Peer review feedback:
After authentication, an application can obtain a JSON Web Token (JWT) from the social media service or associated Open ID Connect provider, or create a new one.
be changed to After authentication, an application can either obtain a JSON Web Token (JWT) from the social media service or associated Open ID Connect provider, or create a new one.
I just got a little lost in that sentence when reading it. Open Liberty supports the following options for SSO authentication:
I feel like maybe the SSO type headings should be another size smaller? Right now, I kind of expect a list of the same size, or maybe slightly larger, but the list of large headings following that sentence makes it feel like I'm missing something when I'm reading. Open ID
should be one word (OpenID
)Open
before Liberty
in the Social media login sectionAuthentication
may not need to be capitalized in JAAS Authentication with Open Liberty
headingof
needs to be added in Each LoginModule interface represents a particular type authentication service.
JAAS is pluggable: new or updated authentication processes can be plugged in to an application without otherwise modifying the application itself.
to not use a colon. It feels a little abrupt compared to the structure of the rest of the content. I think you did a really nice job introducing what authentication is and framing it in the context of cloud-native microservice development (i.e., what it means for OL users).
Thanks for this review @Charlotte-Holt - the issues you've raised are addressed in this PR- https://github.com/OpenLiberty/docs/pull/977 Note that some of the links in the SSO section (OIDC, SPEGNO, Social Login) will need to be updated from the gen doc to the concept topics once they are written
NIce! Thank you.
Couple of comments:
Thanks @lauracowen - these issues are addressed in this PR- https://github.com/OpenLiberty/docs/pull/981
Draft up for review at https://draft-openlibertyio.mybluemix.net/docs/ref/general/#authentication.html
Updates per Ajay Reddy review:
UserRegistry
interface - do you have a link to where they can find out more?Other than that, the topic looks great. Thank you.
Can you get someone to do a more Design-like version of the diagram? yes- sent this mockup to Jay Cagle to get a proper diagram, waiting to hear back
UserRegistry
interface - this is pending the OL javadoc update, as we discussed via slack
could "that are hosted on the Open Liberty server" be just "that are hosted on Open Liberty"? edited
"to authenticate users when they are accessing application servers." changed to "web applications or services"
Can you check which heading level is used for the JAAS section heading - it looks huge! oops, fixed
is it worth saying "Java Authentication and Authorization Service (JAAS), a Jakarta EE standard," added that clause and changed "Open Liberty uses.." to "Open Liberty relies on.." to make it more clear JAAS is an underlying standard, as opposed to an auth mechanism
Great, thanks. There's not a lot we can do about the javadoc immediately but we can work on that separately. Aside from the diagram, I think this is good to go.
@lauracowen the new diagram from design is now on the draft site- let me know if it needs any further tweaking. Otherwise this should be ready to publish with the rest of the security topics?
https://draft-openlibertyio.mybluemix.net/docs/ref/general/#authentication.html
Pretty! :) I'm going to assume it's technically correct so if it's now there, I'm happy for this to be queued up with the rest of the security docs. Thanks
yup- this is the same one that Bruce et al signed off on in the one liberty slack discussion, just fitted and finished. I'll mark it ready to publish
Requested final peer review from @rw2513
This is a well-written topic, I just have a couple comments:
Thanks @Rwalls1 - I've updated the topic to fix that sentence and repair the broken links
https://draft-openlibertyio.mybluemix.net/docs/ref/general/#authentication-open-liberty.html
@dmuelle looks good!
issues addressed in new editing pass:
Hi David,
Nice job with the topic! I have a few comments:
@chirp1 thanks for reviewing. I made the following changes per your review:
https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/authentication.html
[x] Crisp up the words that go with the diagram so that they match better. I updated both the diagram and the description. I didn't end up adding the numbered steps to the description because it would have made the description much longer and more complex. If more detail is needed, I can revise the description into an ordered list to match the steps.
[x] Having "5. Create JWT" inside the Application rectangle seems inconsistent with the other rectangles and the oval in the diagram. moved this text outside of the square
[x] Consistently call a particular registry by the same name updated all references to be either "user registry", "basic user registry", "LDAP user registry", or "custom user registry".
[x] The sentence, "The Application Security feature provides core support for user registries in Open Liberty.", to me it says that it offers support for basic, custom, and LDAP user registries, since that is what the "User registries" section talks about. However, the Applicaiton Security feature lists only the basicRegistry configuration element. I don't see anything for LDAP or custom. If there is a discrepency, resolve it. removed this sentence as it was not consistent and didn't add much value anyway
[x] Instead of having the six subsections under the "Single-sign on" section, how about if you have a bulleted list? converted sections to a bulleted list of items that link to the relevant sections of the SSO doc. After discussing OIDC with @lauracowen, opted to remove it from the example and topic- strategically, it's mainly relevant as the underlying protocol for social logins and including a specific section about it doesn't add value for most users .
comments from @utle in 2746:
https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/authentication.html
Should we link to the UserRegistry interface?
If your application needs to reference a user registry other than a basic or LDAP user registry, you can configure a custom user registry by implementing the UserRegistry
interface
Should we have to same SSO order with https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/single-sign-on.html? Also the SSO provider link seem to link to the article not specific to the SSO provider. Open Liberty supports the following options for SSO authentication:
Social Media Login
JSON Web Tokens (JWT)
Lightweight Third Party Authentication (LTPA)
Security Assertion Markup Language (SAML)
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
The SSO article have:
Social Media Login
JSON Web Tokens (JWT)
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
Security Assertion Markup Language (SAML)
Lightweight Third Party Authentication (LTPA)
@utle thanks for reviewing:
Should we link to the UserRegistry interface? There's currently no API documentation in Open Liberty, so for the time being, I've linked to the Liberty KC for this interface. However, this section and this link will be updated once #2418 "Developing a custom user registry with BELLS" publishes.
Should we have to same SSO order with https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/single-sign-on.html? I've reordered the list to match the order in the SSO topic
Also the SSO provider link seem to link to the article not specific to the SSO provider. This is a bug with the Open Liberty site that is being addressed in https://github.com/OpenLiberty/openliberty.io/issues/1886
Hi David, Here are my latest comments:
@chirp1 thanks for reviewing. I made the following changes to the draft:
Hi!
@chirp1 - made the following changes per your review:
[x] For the "...Social Media Login feature..." link, have the link include "feature" since you have a link further down to "Social Media Login" in the SSO topic, and the two links link to different information.
[x] You have " SSO identity provider" in a paragraph and "SSO provider" in the diagram. Use the same term in both.
[x] Revised the diagram description and reformatted it into an ordered list . Note- once the diagram and description are finalized and approved in this topic I will make corresponding edits to the Authorization topic, which has the same diagram.
https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/authentication.html
@dmuelle Hi David, I spotted another item to comment on:
@chirp1 I think although a database could be a web service, in most cases the application communicates with an API, which would in turn communicate with the DB. I've updated the sentence to be more clear:
The application communicates with other services, such as APIs, to complete the user’s request. These services use the JWT to authenticate the user’s identity and authorize access to resources that are permitted for the user’s security role.
It's a tough topic to explain well, and all of you collaborated and did a good job on it. Hooray!!
Thanks @brutif - it's nice to get nice feedback :)
From LC: This is a new concept topic about authentication in Open Liberty. Authentication verifies who the user is. User ID and password (user registry - link to separate topic), SSO (LTPA, OpenID Connect, SAML, JWT, Social login, SPNEGO - link to separate topics because only one or two of them will be relevant to any given reader so they can ignore the ones they're not interested in). Users of apps running on OL can use their social media accounts (using OAuth and Open ID standards) to log into the apps. If multiple options are presented with a form to select which (give example screenshot to illustrate?). Out of the box, apps can be configured to enable users to use Facebook, Twitter, GitHub, LinkedIn, and Google, but others can be added. Once the user has authenticated, show how an app can find out who the person is.
The authentication topic in the KC provides a bit of an intro but it needs more. First introduce the concept of authentication on Open Liberty needs to be introduced first Introduce what JAAS (Java Authentication and Authorization Service) is and how it is used in authentication processes.
A diagram is needed but I don't know whether the one in this topic is a good one to use or not - probably needs updating for the context of microservices - ideally using one of our existing scenarios such as the system properties or the music store.