natacha-beck
commented
1 year ago Is it what is done with Globus authentification ? By #1138 ?
Open ramou opened 5 years ago
natacha-beck
commented
1 year ago Is it what is done with Globus authentification ? By #1138 ?
natacha-beck
commented
1 year ago @prioux and @bryancaron any input for this issue ? As said I think it is available throught Globus.
ramou
commented
1 year ago @natacha-beck I suspect it may have been addressed at least a couple of years ago based on my quick scan.
I envision this as a mechanism by which an invited user could link authorizing accounts (compute canada if they server oauth/openid google or whatever). Then on the login screen, there would be a button that would let them choose from one of the allowed mechanisms, following the usual process to log them in after that.
I don't know what's won the single sign-on war, but they all did roughly the same thing. Choosing whichever is the currently favored one is fine.
Administrative Use Cases:
User Use Cases:
Historically I found that not all providers followed the rules and I recall having to have custom communication with each server to accommodate how they did stuff. All the same thing, just slightly different flavors.
It works roughly like this (I feel like I've experienced several permutations of the below): Admin tells CBRAIN C to allow OAUTH through service A, providing a link to A's auth API
When USER wants to set up A to log in to C, they log into A, tell it they're going to let C ask for authorization, tell A where on C to bounce them back on successful login and then tell C that A gave them secrets/application ids/keys to use whenever they try to use A.
Down the road, when they try to log in to C using A, C and A have a hidden and secure conversation about the pending login, and when USER's browser goes to A, A bounces them back to C with a one-time code that C can verify using their secretly stored info/stuff from the conversation they discretely had with A. If C likes what they see, USER is logged in.