Token solutions for the commandline and more

Diana Gudu, Marcus Hardt, Gabriel Zachmann

Oct 2023

Use Cases / Tools

Get tokens on the commandline

oidc-agent

https://github.com/indigo-dc/oidc-agent




















  • Tool for OIDC access tokens on the commandline
    • WLCG, Unicore, FedCloud, ARC-CE, Japan HPC, Fenix, … (we lost track, …)
    • Obtain refresh token
      • Run an OIDC authcode/device flow
      • Keep it safe (even crypted when in RAM)
  • Key Features
    • X-Session integration
    • Graphical Query
    • mytoken integration
    • Available in major OSes EPEL, Fedora, Debian, Ubuntu, OpenSuSE, Mac, Windows
  • Version 5
    • improves security, configuration, usability, supports mytokens
    • Difficulties to bring v5 to major Linux distributions (dependencies need to be packaged, …)
    • Supports subtle differences of lots of OIDC-Providers
  • Policy Requirements
    • Guidance on the lifetime of Refresh Tokens => AARC-TREE
      • Practical observations: 1d-1y
# Simple to use
oidc-gen atlas <cr> max<cr> [web-flow] <passphrase><passphrase>

Securely use REST API

  • API Access
    • Access a REST API with OIDC: => oidc-agent + curl
    curl https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/userinfo "Authorization: Bearer `oidc-token egi`"
  • API Protection
    • Protect your REST API with OIDC: => flaat
    • Supports flask, AIO, FastAPI
    • Simple decorator syntac














# Example Code (skipping boilerplate)
@routes.get("/authorized_vo")
@flaat.requires(
    get_vo_requirement(
        [
            "urn:geant:h-df.de:group:m-team:feudal-developers",
            "urn:geant:h-df.de:group:MyExampleColab#unity.helmholtz.de",
        ],
        "eduperson_entitlement", match=1,
    )
)
async def authorized_vo(request):
    return web.Response(text="This worked: user has the required entitlement")
# Example call and response
$ http http://localhost:8080/authorized_vo  "Authorization: Bearer `oidc-token login`"
HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Date: Fri, 17 Mar 2023 13:54:51 GMT
Server: Python/3.11 aiohttp/3.8.3

This worked: user has the required entitlement

Long Living Jobs [1/3]

https://mytoken.data.kit.edu

  • Simple, Powerful, Evil?
  • Situation:
    • Users have long lived jobs
    • Antipattern 1: Send Refresh Token to the Infrastructure
    • Antipattern 2: Request Long Lived Access Tokens (ATs cannot be revoked!!)
  • Our Solution:
    • Authcode Flow (web) to obtain a refresh token (on the server)
    • Issue a mytoken to the user
    • Exchange mytokens for Access Tokens:
      • only if: Restrictions
      • only with: Capabilities

Long Living Jobs [2/3]

  • Mitigate the risk of loss
    • Restrictions
      • LIMITATIONS on the token are based on
        • time, IP address space, geolocation, number of usages, scopes, audiences
    • Capabilities
      • WHAT can the mytoken do (get ATs, create new MTs, history, introspection, settings, …)
    • Mytokens can be revoked
    • More info: https://mytoken-docs.data.kit.edu
    • Example: https://mytoken.data.kit.edu
    • Production installation in credential store: https://mytok.eu
  • Inheritance: Create more limited mytoken from a “master” mytoken
  • Cmdline client + Android / IOs app available
  • REST interface very similar to OIDC.
  • This is a lot better than sending refresh-tokens with the job

Long Living Jobs [3/3]

  • Interface for HTCondor (implemented at Physics group of KIT)
    • Ideally: HTCondor limits the mytoken down to site where its sent to
  • Fermilab solution:
    • Based on Hashicrop Vault
    • Vault-Token provides access to vault instance
    • Vault instance returns Access Token

Account Linking

  • How to map federated identity to Unix account?
  • Idea: Web Portal: Accont LInking SErvice (ALISE)
    • Log in with site credentials (obtain Unix username)
    • Link federated Identity
    • Have a REST interface to resolve things
  • Demo: https://localhost:8000

OIDC from the user perspective

orpheus

https://orpheus.data.kit.edu

  • Deep insights into users perspective of OIDC flow

https://orpheus.data.kit.edu
























Secure Shell Access

SSH

  • New + old question: How to use federated identity for ssh?
  • New question: Without modification of ssh code!!

  • Use federated identity
    • SSH-Server has no direct relation with Organisation where user comes from
  • To log into a Unix account
    • How to find the correct unix account?
    • Do users even want to know all their usernames?
  • Many different teams on their quest to reach the “holy grail”
    • Smart Shell
      • AWI, SURF
    • SSH Certificates
      • DEIC, KIT
    • PAM Module
      • STFC, KIT

Important
We are working together
to make / keep things compatible

KIT Approach

  • Authorisation by (either combination of)
    • Virtual Organisation membership (entitlement)
    • Assurance
    • Individual user (sub + iss)
  • Modular
    • Mandatory: PAM Module pam-ssh-oidc
    • Optional:
      • Dynamic provisioning (feudal)
      • REST Interface for advanced features (motley_cue + mccli)
      • NEW: dynamic ssh-certificate-based approach (oinit)
  • Windows Client available: http://repo.data.kit.edu/windows/oidc-agent/
    • Use plugin of putty
    • Plugin supported by oidc-agent for windows available here
  • Supported platforms
    • Windows: Putty
    • Mac/Linux: OpenSSH
  • Packages: https://repo.data.kit.edu

Sparing you the details [1/10]

  • Demo 1: with recommended setup: (https://ssh-oidc-demo.data.kit.edu)
    • ssh-server: - pam-ssh-oidc + motley-cue
    • ssh-client: - oidc-agent + mccli
    # Example
    mccli ssh ssh-oidc-demo.data.kit.edu --oidc google
    
    testme@ssh-oidc-demo:~$
  • Video: https://youtu.be/090D4s0TNaA
  • Pros:
    • Works well (using this in ci-pipeline with a mytoken on daily basis)
    • Works even on Mac and Windows
    • oidc-agent forwarding works out of the box
  • Cons:
    • Modified commandline (i.e. no rsync)
    • Users need to install client-side software

Sparing you the details [2/10]

  • Demo 2: same serverside, web client
    • Use a web browser for all client-side operations:
    • Authcode flow
    • Web ssh-client
    • Some REST glue around that
  • https://ssh-oidc-web.vm.fedcloud.eu
  • Pros: No tools to install
  • Cons: Webshell: No scp, rsync, or git

Sparing you the details [3/10]

  • oinit
    • Serverside: additionally
      • Install oinit tools
      • Define trusted ssh-ca (e.g. in a TXT record)
    • Client:
      • oidc-agent + oinit tools
    • New: SSH-CA with REST interface
  • Idea:
    • Automatic setup of $HOME/.ssh/config to define commands to run before ssh
    • Example: oinit add <host>[:port] [ca]
    • Before actual ssh: obtain an ssh-certificate (lifetime ~24h)
      • Use motley-cue to auhorise and create user
      • Encode relevant information in ssh-certificate
      • Set remote username to oinit
    • on ssh the serverside inspects the call (as oinit)
      • eventually executes oinit-switch <username> [<command>]
  • Pros:
    • Unmodified commandline
    • Allows advanced use-cases e.g. rsync, git, …
  • Cons:
    • Will not work with Windows

OIDC-Fed

Geant Incubator

And now for something completely different

HIFIS

Helmholtz-AAI Features

  • Software: unity (also used for Eudat’s b2access)
  • Self service Group Membership:
  • Implements the Policy Development Kit
  • Follows most AARC recommendations (a lot of these G0XY documents)
    • <=> To use specific schemas for attributes and their content
  • HIFIS is an member of AEGIS
  • Focus on OIDC services
    • OpenID is not OpenID Connect
    • OpenID connect is defined be the OpenID Foundation
    • The OpenID protocol is deprecated
  • Three levels of authorisation
    • Community based (VOs)
    • Home Organisation Based (“Automatic VO”)
    • Assurance Based (RAF)
      • Community-AAI delivers “assumed” assurance for DFN AAI members :)

Information available at services (extensively shortened)

{
    "body": {
        "iss": "https://login.helmholtz.de/oauth2",
        "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
    },
    "display_name": "Marcus Hardt",
    "eduperson_assurance": [
        "https://refeds.org/assurance/IAP/medium"
    ],
    "eduperson_entitlement": [
        "urn:geant:h-df.de:group:HDF#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:Helmholtz-member#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:HIFIS:Associates#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:IMK-TRO-EWCC#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:KIT#login.helmholtz.de",
        "urn:mace:dir:entitlement:common-lib-terms",
        "http://bwidm.de/entitlement/bwLSDF-SyncShare"
    ],
    "eduperson_scoped_affiliation": [
        "employee@kit.edu",
        "member@kit.edu"
    ],
    "eduperson_unique_id": "6c611e2a2c1c487f9948c058a36c8f0e@login.helmholtz-data-federation.de",
    "email": "marcus.hardt@kit.edu"
}

Connected Services

AAI Users

Active users

NFDI

NFDI Background

  • NFDI: National Research Data Initiative
  • https://nfdi.de
  • Three rounds of calls
  • 19 Consortia (call 1 + call 2)
    • To span many different scientific disciplines
      (social, humanities, engineering, earth, chemistry, physics, …)
    • The final 3rd call closed recently
  • 90 M€/a
  • 5a + (potential extension: 5a)

Base4NFDI-IAM-Project

  • Goal: Provide state of the art IAM to all NFDI Consortia
  • Project:
    • 155 Person-Months in 2.5 a
    • 5 Workpackages
  • Partners
    • DAASI (Peter Gietz, David Hübner)
    • DFN (Wolfgang Pempe)
    • FZJ (Sander Apweiler)
    • GWDG (Christof Pohl)
    • KIT (Marcus Hardt, Matthias Bonn)
    • RPTU (Thorsten Michels)
    • RWTH-Aachen (Marius Politze, Jeannette Gottowick)

NFDI/IAM Project















  • Provide Community AAI Installations:
    • AcademicID (GWDG)
    • didmos (DAASI)
    • RegAPP (KIT)
    • Unity (FZJ)
  • … for the 19 NFDI Consortia
    • to choose which software they want
    • to host the (basic) solution for them
    • for as long as funding is available
  • Challenge: Unite four (german, diverging) Community AAI solutions
  • Focus: Interoperability of Community AAIs
  • Extend BPA-2019 where necessary
  • Incorporate German edu-ID
  • HIFIS AAI is the basis on which we move on
  • Documented all here: https://doc.nfdi-aai.de

Attributes

  • Following the AARC Schema
  • Basic Attribute Profile
    • User identifier (created by CAAI)
    • Name information
    • Email information
    • Home Organisation information
    • Affiliation within the community
    • Affiliation at the Home-Organisation
    • Assurance
  • Extended Attribute Profile
    • Authorisation
      • Groups and roles: eduPersonEntitlement
    • Agreement to policies
    • ORCID identifier
    • Authentication Profiles
      • For indicating whether a 2nd factor was used
    • External Idenfifier:
      • An explicitly scoped identifier for a person, typically as issued by an external authentication service. Could be used for ID linking one day.
      • SAML: voPersonExternalID
      • OIDC: voperson_external_id

Policies

Following the AARC Policy Development Kit:
https://aarc-community.org/policies/policy-development-kit

  • Mandatory:
    • SIRTFI
    • SNCTFI
  • Wolfgang currently works on obtaining a “legal opinion” on policies
    • DFNs role in Germany will help

That’s all
























Backup Slides

Motely-cue Architecture

KIT SSH-OIDC: Installation

  • Package installation:
    • Server: apt-get install motley-cue pam-ssh-oidc
    • Client: pip install mccli
  • Configuration:
    • PAM Module: /etc/pam.d/sshd
    • [Authorisation / Supported OPs: /etc/motley-cue/motley-cue.conf]
    • [Provisioning: /etc/motley-cue/feudal.conf]

Cloud –>