Get tokens on the commandline

oidc-agent

# Simple to use
oidc-gen atlas <cr> max<cr> [web-flow] <passphrase><passphrase>

Securely use REST API

• API Access
  • Access a REST API with OIDC: => oidc-agent + curl

  curl https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/userinfo "Authorization: Bearer `oidc-token egi`"

• API Protection
  • Protect your REST API with OIDC: => flaat
  • Supports flask, AIO, FastAPI
  • Simple decorator syntac

# Example Code (skipping boilerplate)
@routes.get("/authorized_vo")
@flaat.requires(
    get_vo_requirement(
        [
            "urn:geant:h-df.de:group:m-team:feudal-developers",
            "urn:geant:h-df.de:group:MyExampleColab#unity.helmholtz.de",
        ],
        "eduperson_entitlement", match=1,
    )
)
async def authorized_vo(request):
    return web.Response(text="This worked: user has the required entitlement")

# Example call and response
$ http http://localhost:8080/authorized_vo  "Authorization: Bearer `oidc-token login`"
HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Date: Fri, 17 Mar 2023 13:54:51 GMT
Server: Python/3.11 aiohttp/3.8.3

This worked: user has the required entitlement

Long Living Jobs [1/3]

https://mytoken.data.kit.edu

• Simple, Powerful, Evil?
• Situation:
  • Users have long lived jobs
  • Antipattern 1: Send Refresh Token to the Infrastructure
  • Antipattern 2: Request Long Lived Access Tokens (ATs cannot be revoked!!)
• Our Solution:
  • Authcode Flow (web) to obtain a refresh token (on the server)
  • Issue a mytoken to the user
  • Exchange mytokens for Access Tokens:
    • only if: Restrictions
    • only with: Capabilities
      

Long Living Jobs [2/3]

• Mitigate the risk of loss
  • Restrictions
    • LIMITATIONS on the token are based on
      • time, IP address space, geolocation, number of usages, scopes, audiences
  • Capabilities
    • WHAT can the mytoken do (get ATs, create new MTs, history, introspection, settings, …)
  • Mytokens can be revoked
  • More info: https://mytoken-docs.data.kit.edu
  • Example: https://mytoken.data.kit.edu
  • Production installation in credential store: https://mytok.eu
• Inheritance: Create more limited mytoken from a “master” mytoken
• Cmdline client + Android / IOs app available
• REST interface very similar to OIDC.
• This is a lot better than sending refresh-tokens with the job

Long Living Jobs [3/3]

• Interface for HTCondor (implemented at Physics group of KIT)
  • Ideally: HTCondor limits the mytoken down to site where its sent to
• Fermilab solution:
  • Based on Hashicrop Vault
  • Vault-Token provides access to vault instance
  • Vault instance returns Access Token

Account Linking

• How to map federated identity to Unix account?
• Idea: Web Portal: Accont LInking SErvice (ALISE)
  • Log in with site credentials (obtain Unix username)
  • Link federated Identity
  • Have a REST interface to resolve things
• Demo: https://localhost:8000

OIDC from the user perspective

orpheus

https://orpheus.data.kit.edu

• Deep insights into users perspective of OIDC flow

https://orpheus.data.kit.edu

SSH

• New + old question: How to use federated identity for ssh?
• New question: Without modification of ssh code!!
  
  
• Use federated identity
  • SSH-Server has no direct relation with Organisation where user comes from
• To log into a Unix account
  • How to find the correct unix account?
  • Do users even want to know all their usernames?
• Many different teams on their quest to reach the “holy grail”
  • Smart Shell
    • AWI, SURF
  • SSH Certificates
    • DEIC, KIT
  • PAM Module
    • STFC, KIT

KIT Approach

• Authorisation by (either combination of)
  • Virtual Organisation membership (entitlement)
  • Assurance
  • Individual user (sub + iss)
• Modular
  • Mandatory: PAM Module pam-ssh-oidc
  • Optional:
    • Dynamic provisioning (feudal)
    • REST Interface for advanced features (motley_cue + mccli)
    • NEW: dynamic ssh-certificate-based approach (oinit)
• Windows Client available: http://repo.data.kit.edu/windows/oidc-agent/
  • Use plugin of putty
  • Plugin supported by oidc-agent for windows available here
• Supported platforms
  • Windows: Putty
  • Mac/Linux: OpenSSH
• Packages: https://repo.data.kit.edu

Sparing you the details [1/10]

• Demo 1: with recommended setup: (https://ssh-oidc-demo.data.kit.edu)
  • ssh-server: - pam-ssh-oidc + motley-cue
  • ssh-client: - oidc-agent + mccli

  # Example
  mccli ssh ssh-oidc-demo.data.kit.edu --oidc google
  
  testme@ssh-oidc-demo:~$

• Video: https://youtu.be/090D4s0TNaA
• Pros:
  • Works well (using this in ci-pipeline with a mytoken on daily basis)
  • Works even on Mac and Windows
  • oidc-agent forwarding works out of the box
• Cons:
  • Modified commandline (i.e. no rsync)
  • Users need to install client-side software

Sparing you the details [2/10]

• Demo 2: same serverside, web client
  • Use a web browser for all client-side operations:
  • Authcode flow
  • Web ssh-client
  • Some REST glue around that
• https://ssh-oidc-web.vm.fedcloud.eu
• Pros: No tools to install
• Cons: Webshell: No scp, rsync, or git

Sparing you the details [3/10]

• oinit
  • Serverside: additionally
    • Install oinit tools
    • Define trusted ssh-ca (e.g. in a TXT record)
  • Client:
    • oidc-agent + oinit tools
  • New: SSH-CA with REST interface
• Idea:
  • Automatic setup of $HOME/.ssh/config to define commands to run before ssh
  • Example: oinit add <host>[:port] [ca]
  • Before actual ssh: obtain an ssh-certificate (lifetime ~24h)
    • Use motley-cue to auhorise and create user
    • Encode relevant information in ssh-certificate
    • Set remote username to oinit
  • on ssh the serverside inspects the call (as oinit)
    • eventually executes oinit-switch <username> [<command>]
• Pros:
  • Unmodified commandline
  • Allows advanced use-cases e.g. rsync, git, …
• Cons:
  • Will not work with Windows

Geant Incubator

Links

• Incubator Wiki page: https://wiki.geant.org/display/GWP5/OIDCfed+support+on+SimpleSAMLphp?src=contextnavpagetreemode
• A brief introduction to OIDC Federations: https://docs.google.com/presentation/d/1ZAGlslIDrFbLgjmRYhd5L64kknK_ayhiUj4-G9CBB-0/edit#slide=id.g24851da2438_0_80
• Deep Dive Slides: https://docs.google.com/presentation/d/1pLArrgBh7pINF4pqm-4HM1h2N-XnVdb37y_M08Ycjps/edit?usp=drive_web&ouid=104223951181002749851

HIFIS

Helmholtz-AAI Features

• Software: unity (also used for Eudat’s b2access)
• Self service Group Membership:
• Implements the Policy Development Kit
• Follows most AARC recommendations (a lot of these G0XY documents)
  • <=> To use specific schemas for attributes and their content
• HIFIS is an member of AEGIS
• Focus on OIDC services
  • OpenID is not OpenID Connect
  • OpenID connect is defined be the OpenID Foundation
  • The OpenID protocol is deprecated
• Three levels of authorisation
  • Community based (VOs)
  • Home Organisation Based (“Automatic VO”)
  • Assurance Based (RAF)
    • Community-AAI delivers “assumed” assurance for DFN AAI members :)

Information available at services (extensively shortened)

{
    "body": {
        "iss": "https://login.helmholtz.de/oauth2",
        "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
    },
    "display_name": "Marcus Hardt",
    "eduperson_assurance": [
        "https://refeds.org/assurance/IAP/medium"
    ],
    "eduperson_entitlement": [
        "urn:geant:h-df.de:group:HDF#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:Helmholtz-member#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:HIFIS:Associates#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:IMK-TRO-EWCC#login.helmholtz.de",
        "urn:geant:helmholtz.de:group:KIT#login.helmholtz.de",
        "urn:mace:dir:entitlement:common-lib-terms",
        "http://bwidm.de/entitlement/bwLSDF-SyncShare"
    ],
    "eduperson_scoped_affiliation": [
        "employee@kit.edu",
        "member@kit.edu"
    ],
    "eduperson_unique_id": "6c611e2a2c1c487f9948c058a36c8f0e@login.helmholtz-data-federation.de",
    "email": "marcus.hardt@kit.edu"
}

Connected Services

• Helmholtz Federated IT services (HIFIS, hifis.net)
  • Drives development, documentation and service integration
  • cloud.helmholtz.de/services
• List of registered services: aai.helmholtz.de/services
  • More than 100

AAI Users

Active users

NFDI Background

• NFDI: National Research Data Initiative
• https://nfdi.de
• Three rounds of calls
• 19 Consortia (call 1 + call 2)
  • To span many different scientific disciplines
    (social, humanities, engineering, earth, chemistry, physics, …)
  • The final 3rd call closed recently
• 90 M€/a
• 5a + (potential extension: 5a)

Base4NFDI-IAM-Project

• Goal: Provide state of the art IAM to all NFDI Consortia
• Project:
  • 155 Person-Months in 2.5 a
  • 5 Workpackages
• Partners
  • DAASI (Peter Gietz, David Hübner)
  • DFN (Wolfgang Pempe)
  • FZJ (Sander Apweiler)
  • GWDG (Christof Pohl)
  • KIT (Marcus Hardt, Matthias Bonn)
  • RPTU (Thorsten Michels)
  • RWTH-Aachen (Marius Politze, Jeannette Gottowick)

NFDI/IAM Project

Attributes

• Following the AARC Schema
• Basic Attribute Profile
  • User identifier (created by CAAI)
  • Name information
  • Email information
  • Home Organisation information
  • Affiliation within the community
  • Affiliation at the Home-Organisation
  • Assurance
• Extended Attribute Profile
  • Authorisation
    • Groups and roles: eduPersonEntitlement
  • Agreement to policies
  • ORCID identifier
  • Authentication Profiles
    • For indicating whether a 2nd factor was used
  • External Idenfifier:
    • An explicitly scoped identifier for a person, typically as issued by an external authentication service. Could be used for ID linking one day.
    • SAML: voPersonExternalID
    • OIDC: voperson_external_id

Policies

Following the AARC Policy Development Kit:
https://aarc-community.org/policies/policy-development-kit

• Mandatory:
  • SIRTFI
  • SNCTFI
• Wolfgang currently works on obtaining a “legal opinion” on policies
  • DFNs role in Germany will help

That’s all

Motely-cue Architecture

KIT SSH-OIDC: Installation

• Package installation:
  • Server: apt-get install motley-cue pam-ssh-oidc
  • Client: pip install mccli
• Configuration:
  • PAM Module: /etc/pam.d/sshd
  • [Authorisation / Supported OPs: /etc/motley-cue/motley-cue.conf]
  • [Provisioning: /etc/motley-cue/feudal.conf]

Cloud –>