FAS automation: Device Authorization Grant?

Project Discussion
,
1

We currently have some automation use cases which are not using FAS (or any other auth, in some cases) where I think they could be. This is primarily around how we publish things outside of Fedora Infra proper. I don’t want to name the specific use cases here because I believe they might represent risks, but I’d like to discuss in the abstract what I believe to be the correct solution for automation use cases.

OAuth 2.0 Device Authorization Grant ( RFC 8628 ) is essentially, “A human logs into FAS once via standard methods and then receives a refresh token whose TTL can be refreshed indefinitely.” If the token expires because the user didn’t refresh it fast enough, they can always manually log in again for a new refresh token. This allows us to put FAS in front of any OIDC-capable service (including apache / haproxy) while still allowing people to easily self-serve their automation needs.

The alternative option is Client Credentials Flow, where an admin has to get involved to provision each client + client secret. Presumably we want to avoid the admin toil + long-lived secrets of this approach, but it is a valid one.

Is there any plan to support automation with FAS auth? Have we discussed this in the past / do we have any thoughts around creating a plan here? (One which I might be able to help implement?)

I’d like to get this in place before proposing adding FAS auth to specific endpoints, so that if/when we enact that we already have a replacement solution for existing unauthenticated automation.

I’m aware that we do have Kerberos auth in some places, but since most modern auth solutions are OIDC / OAuth by default and Kerberos support is dwindling, I think it would be worth considering how to move forward with this as a user-friendly approach for securing any endpoints which are currently open.

3

I’ll be honest that I am not really sure what you are asking and what is missing in our infrastructure today. I am aware of work to retire OpenID and migrate to OpenID Connect, but I’m not sure about all the details.

4

The way we are doing this currently is with Kerberos keytabs, but they are not available outside the Fedora infrastructure. Are your services running inside the Fedora infra at the moment?

5

No, this is for accessing Fedora things from outside of Fedora.

If you’d like to see a reference implementation, Hatlas is running Keycloak and has implemented OIDC Device Flow for download of Datanommer data in Parquet format: fedora-mwinters/datanommer-parquet-download: Get you some nom - Codeberg.org

6

A quick look at the code makes me think that Ipsilon does not support Device Authorization Grant, and will probably never do. Maybe that’ll be possible when we switch to Keycloak (unless I’m missing something)

1 Like
7

Let’s time travel together to the day that Keycloak is in place. What are your thoughts on implementing this?

Personally, my thoughts are:

  • OIDC Device Flow is a checkbox in Keycloak, so extremely low-hanging fruit there
  • OIDC auth is widely supported by the target services (apache, nginx, newer versions of things like Postgres, etc) so we should enable it anywhere it makes sense.