Diana Gudu, Marcus Hardt, Gabriel Zachmann
Mar 2023
oidc-agent
flaat
mytoken
SSH
with OIDC tokensflaat
oidc-agent
+ curl
flaat
oidc-agent
mytoken
mytoken
, maybe
vault
ssh-oidc/motley-cue
oidc-agent
(think
“ssh-agent
”)# Example:
# Step 1: Obtain a refresh token from your issuer:
oidc-gen --pub --issuer https://aai.egi.eu/auth/realms/egi --scope "max" test
<follow the flow in your browser ...>
# Step 2: Get access tokens:
oidc-token test
# Step 3: Take a look at the token, and the userinfo endpoint:
for T in $(oidc-token test| tr '.' '\n' ); do
echo $T | base64 -di 2>/dev/null | jq --indent 4 2>/dev/null
done
# Information stored inside the access token:
{ "body": {
"auth_time": 1664276918,
"authenticating_authority": "https://idp.scc.kit.edu/idp/shibboleth",
"azp": "oidc-agent",
"exp": 1679063615,
"iat": 1679060015,
"iss": "https://aai.egi.eu/auth/realms/egi",
"jti": "8fbd6ec9-f6cc-431a-93dd-fd11aee7efbd",
"scope": "openid eduperson_unique_id offline_access eduperson_scoped_affiliation eduperson_entitlement profile email",
"session_state": "18489eb8-6715-4a3a-a56c-42121be20b84",
"sid": "18489eb8-6715-4a3a-a56c-42121be20b84",
"sub": "d7a53cbe3e966c53ac64fde7355956560282158ecac8f3d2c770b474862f4756@egi.eu",
"typ": "Bearer"
}, "header": {
"alg": "RS256",
"kid": "PUYOirA3Y-d_dGpdj4iJDHw4zHa8IY-bhZdaEj0rjbU",
"typ": "JWT"
}, "signature": "TK9z3BMnSslde5pobCk4lSfxOEKMCz17xAFPw0WuSYbAWXM93fbN8yF0aAAM9pK4xm0A_t_JulKjgSZ-nU_ototXoQRhkLZIV59Y5ErFXdeR6SPETSEVVJL7NdON9mdycM0siaQKsl0MYhqVyblCRlsBQkjejyZKzgW1opamGQKaYq_uoG8I4BJsbAJ5rvjNuTMtVTzFjpCXQSVeJNkthSz_C1gNZDHAnWAeGP5cW4PvzIbEqCe-cTKWOfd9u9Y-StSunF-jpr8y0I5_7eQxvOFPC6Vf5lNnPFFxlY25qB10XrTZmFiL-W8qpjaQH-NUFo4cprpHYKsxbBk1aIjw_w",
"verification": {
"algorithm": "RS256"
} }
# Information retrieved from userinfo endpoint: {
"eduperson_assurance": [
"https://refeds.org/assurance/ATP/ePA-1d",
"https://refeds.org/assurance/ATP/ePA-1m",
"https://refeds.org/assurance/IAP/low",
"https://refeds.org/assurance/profile/cappuccino",
"https://refeds.org/assurance/IAP/local-enterprise",
"https://refeds.org/assurance/IAP/medium",
"https://refeds.org/assurance/ID/unique",
"https://refeds.org/assurance/ID/eppn-unique-no-reassign",
"https://aai.egi.eu/LoA#Substantial"
], "eduperson_entitlement": [
"urn:mace:egi.eu:group:covid19.eosc-synergy.eu:admins:role=owner#aai.egi.eu",
"urn:mace:egi.eu:group:eosc-synergy.eu:role=member#aai.egi.eu",
[...]
"urn:mace:egi.eu:group:umsa.cerit-sc.cz:admins:role=member#aai.egi.eu",
"urn:mace:egi.eu:group:umsa.cerit-sc.cz:admins:role=owner#aai.egi.eu"
], "eduperson_scoped_affiliation": [
"employee@kit.edu",
"member@kit.edu"
], "eduperson_unique_id": [ "d7a53cbe3e966c53ac64fde7355956560282158ecac8f3d2c770b474862f4756@egi.eu" ],
"email": "hardt@kit.edu",
"email_verified": true,
"family_name": "Hardt",
"given_name": "Marcus",
"iss": "https://aai.egi.eu/auth/realms/egi",
"name": "Marcus Hardt",
"preferred_username": "mhardt",
"sub": "d7a53cbe3e966c53ac64fde7355956560282158ecac8f3d2c770b474862f4756@egi.eu",
"voperson_verified_email": [ "hardt@kit.edu" ]
}
flaat
# Example Code (skipping boilerplate)
@routes.get("/authorized_vo")
@flaat.requires(
get_vo_requirement(
[
"urn:geant:h-df.de:group:m-team:feudal-developers",
"urn:geant:h-df.de:group:MyExampleColab#unity.helmholtz.de",
],
"eduperson_entitlement", match=1,
)
)
async def authorized_vo(request):
return web.Response(text="This worked: user has the required entitlement")
# Example call and response
$ http http://localhost:8080/authorized_vo "Authorization: Bearer `oidc-token login`"
HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Date: Fri, 17 Mar 2023 13:54:51 GMT
Server: Python/3.11 aiohttp/3.8.3
This worked: user has the required entitlement
mytoken
(think “myProxy
”
done right)mytoken-server
:
refresh token
(typical web-flow)refresh token
with
mytoken
mytoken
-token to useruser (client)
:
mytoken
with mytoken-server
to get
access token
refresh-tokens
with the job?mytoken
client from the
cmdlineKind of holy grail, because:
entitlement
)sub + iss
)flaat
+ pam-module
pam-ssh-oidc
developed by
PSNC (in Pracelab.PL)pam-ssh-oidc
enables two things:
pam-module
uses flaat
for
authorisationflaat
+ pam-module
+
motley_cue
https://motley-cue.readthedocs.io
motley-cue
: Server-side daemon
developed in HIFIS (Germany)motley-cue
fixes 4 things:
entitlement
(i.e. VO)assurance
sub@iss
(user whitelist)motley_cue
creates a one-time-password
(OTP)ssh
-daemons (or clients) were hurt in this project:
mccli
Important
We are working together
to make
things compatible
Orpheus
apt-get install motley-cue pam-ssh-oidc
pip install mccli
/etc/pam.d/sshd
/etc/motley-cue/motley-cue.conf
]/etc/motley-cue/feudal.conf
]