ovirt SSO Specification

Similar documents
E POSTBUSINESS API Login-API Reference. Version 1.1

Using OAuth 2.0 to Access ionbiz APIs

Login with Amazon. Developer Guide for Websites

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30

The OAuth 2.0 Authorization Protocol

Login with Amazon. Developer Guide API Version

Aruba Central Application Programming Interface

The production version of your service API must be served over HTTPS.

Oracle Fusion Middleware. API Gateway OAuth User Guide 11g Release 2 ( )

Realtime API. API Version: Document Revision: 16 Last change:26 October Kwebbl Swiss Software House GmbH

Mobile Procurement REST API (MOBPROC): Access Tokens

Protect Your API with OAuth 2. Rob Allen

API Gateway. Version 7.5.1

NetIQ Access Manager 4.3. REST API Guide

Integrating with ClearPass HTTP APIs

WEB API. Nuki Home Solutions GmbH. Münzgrabenstraße 92/ Graz Austria F

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

OAuth and OpenID Connect (IN PLAIN ENGLISH)

Login with Amazon. SDK for JavaScript v1.0 Reference

ChatWork API Documentation

django-oauth2-provider Documentation

INTEGRATION MANUAL DOCUMENTATION E-COMMERCE

fredag 7 september 12 OpenID Connect

Oracle Fusion Middleware. Oracle API Gateway OAuth User Guide 11g Release 2 ( )

NIELSEN API PORTAL USER REGISTRATION GUIDE

ClickToCall SkypeTest Documentation

OpenID Connect Opens the Door to SAS Viya APIs

FAS Authorization Server - OpenID Connect Onboarding

Nordea e-identification Service description

Tutorial: Building the Services Ecosystem

FAS Authorization Server - OpenID Connect Onboarding

Web Messaging Configuration Guide Document Version: 1.3 May 2018

Usage of "OAuth2" policy action in CentraSite and Mediator

GPII Security. Washington DC, November 2015

JPX Data Cloud API Specifications

TELIA OPERATOR SERVICE PLATFORM

If the presented credentials are valid server will respond with a success response:

python-oauth2 Documentation

SAS Event Stream Processing 4.3: Security

NetIQ Access Manager 4.4. REST API Guide

HKWirelessHD API Specification

API Common Exceptions and Tips for Handling

Advanced API Security

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

SAS Event Stream Processing 4.2: Security

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol

Sophos Mobile Control Network Access Control interface guide. Product version: 7

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol

Building the Modern Research Data Portal. Developer Tutorial

Single Sign-On for PCF. User's Guide

Identity and Data Access: OpenID & OAuth

Salesforce IoT REST API Getting Started Guide

Check to enable generation of refresh tokens when refreshing access tokens

Sophos Mobile. Network Access Control interface guide. Product Version: 8.1

Kerberos and Single Sign On with HTTP

ClearPass. ClearPass Extension Universal Authentication Proxy. ClearPass Extension Universal Authentication Proxy TechNote

MediaAUTH Draft Proposal

Authorization and Authentication

REST API: Guide for Implementers

The PureEngage Cloud API. Jim Crespino Director, Developer Enablement

SAS Viya 3.3 Administration: Authentication

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

OAuth2lib. implementation

Web Based Single Sign-On and Access Control

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

OAuth2 Autoconfig. Copyright

User Guide. Version R92. English

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Connect. explained. Vladimir Dzhuvinov. :

Volante NACHA ISO20022 Validator AMI User Guide

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Commercial-in-Confidence

Administering Jive Mobile Apps for ios and Android

Authentication in the Cloud. Stefan Seelmann

GitHub-Flask Documentation

Java Relying Party API v1.0 Programmer s Guide

OneLogin Integration User Guide

OAuth 2.0 Guide. ForgeRock Access Management 5.5. ForgeRock AS 201 Mission St, Suite 2900 San Francisco, CA 94105, USA (US)

Libelium Cloud Hive. Technical Guide

Vipps Signup & Login API. Version: 1.0 Date produced: Jan-2017

Security Guide Release 7.1

Partner Center: Secure application model

Cloud Access Manager Configuration Guide

sanction Documentation

User Guide. Version R94. English

ETSI TS V ( )

TACHO ONLINE API. TUNGVOGNSSPECIALISTEN APS Københavnsvej 265, DK-4000 Roskilde

FAS Authorization Server - OpenID Connect Onboarding

AT&T Developer Best Practices Guide

Coveo Platform 7.0. Yammer Connector Guide

To start your custom application development, perform the steps below.

Technical Overview. Version March 2018 Author: Vittorio Bertola

Request for Comments: 5849 April 2010 Category: Informational ISSN:

Canonical Identity Provider Documentation

Alloy Navigator API USER S GUIDE. Integration with External Systems. Product Version: 7.0 Document Revision: 1.0 Date: November 30, 2015

How to Configure Authentication and Access Control (AAA)

RSA NetWitness Logs. Salesforce. Event Source Log Configuration Guide. Last Modified: Wednesday, February 14, 2018

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

Transcription:

ovirt SSO Specification Behavior Changes End user visible changes The password delegation checkbox at user portal login is now a profile setting. Sysadmin visible changes Apache negotiation URL change Kerberos or any other negotiation module should not be applied to entire URI namespace, this provide huge performance improvement and greater flexibility. See Misc section of apache configuration example. RestAPI visible changes RestAPI negotiation authentication RestAPI negotiation authentication is disabled by default, application should use the new OAuth2 interface in order to acquire a token. This can be re enabled by engine configuration ENGINE_RESTAPI_NEGO and adding ^/ovirt engine/api to LocationMatch of apache configuration. Notice: in most cases this will have negative performance impact due to HTTP renegotiation. OAuth2 Outline The ovirt SSO service is OAuth2 compliant with minimal features. References http://tools.ietf.org/html/rfc6749 http://tools.ietf.org/html/rfc6750 https://tools.ietf.org/html/draft ietf oauth introspection 04 https://developer.github.com/v3/oauth/ https://aaronparecki.com/articles/2012/07/29/1/oauth2 simplified https://developer.linkedin.com/docs/oauth2 /sso/oauth/authorize Query String Parameters client_id string Required: Client unique id, provided at registration time. response_type string "code" scope string A space delimited list of scopes. If not provided a default will be used. redirect_uri string The URL to which to redirect after authorization. It must

match the base URL that was provided at registration time. state string Cross site protection, sent as a parameter to the redirection_uri. redirection_uri query String Parameters state string The content of state sent to authorize. code string The authorization code. Base64 alphabet long string. invalid_request unauthorized_client access_denied invalid_scope server_error The request is missing a required parameter, includes an unsupported parameter value. The client is not authorized to request an authorization code using this method. The resource owner or authorization server denied the request. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Any other server error. temporarily_unavailable... ovirt_not_authenticated if not logged in. /sso/oauth/token[authorization_code] Headers Authorization string Basic authorization header of client_id as a user and client_secret as a password. ContentType String application/x www form urlencoded Accept string Response form. Supported: application/json POST parameters

client_id string Required: Client unique id, provided at registration time. [fallback to authorization header]. client_secret string Required: Client secret, provided at registration time. [fallback to authorization header]. grant_type string "authorization_code" code string Required: The authorization code. Base64 alphabet long string. redirect_uri string Must be valid for client_id but not actually used(?!?). Response application/json { "access_token": "token", "scope": "space_delimited_scopes", "expires_in": "lifetime_in_seconds", # taken out of auth record "token_type": "bearer" } invalid_request unauthorized_client access_denied invalid_grant unsupported_response_type invalid_scope server_error The request is missing a required parameter, includes an unsupported parameter value. The client is not authorized to request an authorization code using this method. The resource owner or authorization server denied the request. The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization server does not support obtaining an access token using this method. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Any other server error. temporarily_unavailable...

/sso/oauth/token[password] Headers Authorization string Authorization headers for client. ContentType String application/x www form urlencoded Accept string Response form. Supported: application/json POST parameters client_id string Required: Client unique id, provided at registration time. [fallback to authorization header]. client_secret string Required: Client secret, provided at registration time. [fallback to authorization header]. grant_type string "password" username string Required: User name. password string Required: User's Password. scope string A space delimited list of scopes. If not provided a default will be used. ovirt_auth_record string Optional: ovirt proprietary auto record applicable when login on behalf is used. Response application/json { "access_token": "token", "scope": "space_delimited_scopes", "expires_in": "lifetime_in_seconds", # taken out of auth record "token_type": "bearer" } invalid_request unauthorized_client The request is missing a required parameter, includes an unsupported parameter value. The client is not authorized to request an authorization

code using this method. access_denied invalid_grant unsupported_grant_type invalid_scope server_error The resource owner or authorization server denied the request. The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization grant type is not supported by the authorization server. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Any other server error. temporarily_unavailable... /sso/oauth/token[-http-auth][urn:ovirt:params:oauth:grant-type:http] This is an extension to OAuth2 to enable authenticating a user (Resource Owner) with standard HTTP authorization headers. This will enable SPENGO or other methods to be usable while are not usable in the password grant_type. Headers Authorization string Authorization headers for user. ContentType String application/x www form urlencoded Accept string Response form. Supported: application/json Query and/or POST parameters grant_type string "urn:ovirt:params:oauth:grant type:http" scope string A space delimited list of scopes. If not provided a default will be used. Response application/json { "access_token": "token", "scope": "space_delimited_scopes", "expires_in": "lifetime_in_seconds", # taken out of auth record

} "token_type": "bearer" invalid_request access_denied unsupported_grant_type invalid_scope server_error The request is missing a required parameter, includes an unsupported parameter value. The resource owner or authorization server denied the request. The authorization grant type is not supported by the authorization server. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Any other server error. temporarily_unavailable... /sso/oauth/token_info Headers Authorization string Basic authorization header of client_id as a user and client_secret as a password. ContentType string application/x www form urlencoded Accept string Response form. Supported: application/json POST parameters client_id string Required: Client unique id, provided at registration time. [fallback to authorization header]. client_secret string Required: Client secret, provided at registration time. [fallback to authorization header]. token string Required: The access token. scope string A space delimited list of scopes. If not provided a default will be used. Specifying ovirt auth validate scope will supress token information in response.

Response application/json { "active": true/false, "token_type": "bearer", "client_id": "client_id_who_issue_token", "user_id": "xx", "scope": "space_delimited_scopes", "exp": "in_seconds", "ovirt": { "version": 0, "principal_id": external id of the user, "email": email address, "group_ids": group ids of the user, "password": "users' password if ovirt auth password access scope" } } invalid_request unauthorized_client invalid_grant server_error The request is missing a required parameter, includes an unsupported parameter value. The client is not authorized to request an authorization code using this method. The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Any other server error. temporarily_unavailable... /sso/oauth/revoke ovirt extension to the OAuth2 interface to revoke an access token. Revoking authentication token can be done without client_id/client_secret credentials, unless special scope is required. Headers Authorization string Basic authorization header of client_id as a user and client_secret as a password. Or Bearer authentication based on authorization token.

ContentType string application/x www form urlencoded Accept string Response form. Supported: application/json POST parameters client_id string Client unique id, provided at registration time. [fallback to authorization header (Basic)]. client_secret string Client secret, provided at registration time. [fallback to authorization header (Basic)]. token string Required: The access token. [fallback to authorization header (Bearer)] scope string A space delimited list of scopes. If not provided a default will be used. Response application/json { } invalid_request unauthorized_client invalid_grant invalid_scope server_error The request is missing a required parameter, includes an unsupported parameter value. The client is not authorized to request an authorization code using this method. The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Any other server error. temporarily_unavailable...

Error Response Response May be in query string, or json payload. error error_description error_uri A single ASCII error code. Human readable error. A URI of human readable page. invalid_request invalid_client invalid_grant invalid_scope The request is missing a required parameter, includes an unsupported parameter value. Client authentication failed. The provided authorization grant is invalid. The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. Notification callback Issued if registered for client. Headers ContentType string application/x www form urlencoded POST parameters event string event name: logout token string The token. token_type string bearer None. Client Application Accessing application is done by setting the following authorization header: Authorization: Bearer <token>

Configuration SSO Configuration Type Default SSO_TOKEN_TIMEOUT Int 360000 Maximum lifetime in seconds of a token. Was: vdc_options::usersessionhar dlimit SSO_HOUSE_KEEPING_INTERVAL Int 60 Interval in which housekeeping occur in seconds. SSO_AUTH_LOGIN_SEQUENCE Str NI Login sequence to use. B Basic enforce. b Basic accept. N Negotiate. I Internal. SSO_TOKEN_HTTP_LOGIN_SEQUEN CE Str Nb b Basic accept. N Negotiate. SSO_CALLBACK_PREFIX_CHECK Bool true Enforce OAuth2 callback prefix. Should not be modified. SSO_PKI_TRUST_STORE File "${ENGINE_ PKI_TRUST*} " Trust store for outgoing communications. SSO_PKI_TRUST_STORE_TYPE Str "${ENGINE_ PKI_TRUST*} " Trust store for outgoing communications. SSO_PKI_TRUST_STORE_PASSWOR D Str "${ENGINE_ PKI_TRUST*} " Trust store for outgoing communications. SSO_ENGINE_URL Str "http://${engi NE_FQDN}${ ENGINE_URI }" The engine URL for ovirt logo in login page. Engine Configuration Type Default ENGINE_SSO_AUTH_URL Str SSO URL visible for user agent. ENGINE_SSO_SERVICE_URL Str "${ENGINE_ SSO_AUTH_ URL}" SSO service URL for direct communications. ENGINE_SSO_SERVICE_SSL_PROT Str TLSv1 SSL protocol to use.

OCOL ENGINE_SSO_SERVICE_SSL_VERIF Y_HOST ENGINE_SSO_SERVICE_SSL_VERIF Y_CHAIN Bool True Enable host verification. Bool True Enable chain verification ENGINE_RESTAPI_NEGO Bool False Enable restapi nego using direct access. ENGINE_SSO_CLIENT_ID Str Client id to use. ENGINE_SSO_CLIENT_SECRET Str Client password to use. ENGINE_SSO_AUTH_SEQUENCE_ap p=seq Str ~ Override auth sequence for this app. app can be: webadmin, userportal, welcome. ENGINE_ERROR_PAGE Str ${ENGINE_U RI}/error.html The error page to display when apps receive errors from SSO. Data Model SSO Client registration Persistent, accessible only to SSO service. Probably in database table. id seq client_id string Unique string, probably uuid. client_secret string PBEEnvelope format callback_prefix string A url prefix for cross site prevention. certificate_location string Optional location of certificate to encrypt password to. notification_callbac k notification_callbac k_protocol notification_callbac k_verify_host notification_callbac k_verify_chain string string boolean boolean Optional location of callback for this client. SSL protocol to use, default: "TLSv1" Verify host name when communicating to callback. Verify chain when communicating to callback.

description string Client description, not actually used. email string Client contact. scope string Space delimited scopes approved for this client. trusted boolean If trusted no user approval dialog will be presented before authentication. We support only trusted for now. SSO token registry Non persistent storage. token string [Key] access token. base64(random[64bytes]) client_id string/null client who issued token. active boolean may hold inactive for a while until cleanup. code string/null authorization code. base64(random[64bytes]) userid string unique user id authz:user or similar. user string user name. validto timestamp scope string space delimited scopes ovirt_auth_record complex key: "name;type;uuid" value: json serialize ovirt_principal_record complex password string if ovirt password access scope had been requested. Application SSO credentials Within engine config, generated by setup. For now we can have single client_id for all engine applications (api, userportal, webadmin). Scopes Global Scopes ovirt app portal Permit login into user portal.

ovirt app admin ovirt app api ovirt ext=ext Permit login into webadmin. Permit interaction with API. Ovirt extension, may appear multiple times. Scope Dependencies Scopes ovirt app admin ovirt app portal ovirt app api ovirt ext=token:password access ovirt ext=token info:validate ovirt ext=token:login on behalf ovirt ext=revoke:revoke all Internal engine ovirt app api ovirt ext=token info:validate A restapi client Auth Extensions auth:identity token:password access token info:validate auth:sequence priority=seq Return existing identity, do not present login form. Callback error code is ovirt_not_authenticated if not authenticated. Enables user's raw password access. This should not be used in new clients. Only perform session validation, does not return data. Request to modify login sequence. Available sequences: B Basic enforce. b basic accept. I internal. N negotiate. sso setting is intersected with the seq settings, if empty result, an error should be presented. if seq begins with ~ then it is prepend to sso setting, removing duplicates before intersecting, this used to set priority to specific method. For example: sso: bni seq: ~I prepend: IbNI Dup remove: IbN

intersect: IbN Token Extensions token:login on behalf token:password access Valid only when grant_type=password, enable login without password check. Care should be taken when assigning this scope to a client. Enables user's raw password access. This should not be used in new clients. Token Info Extensions token info:validate Only perform session validation, does not return data. Revoke Extensions revoke:revoke all Revoke all access tokens of a user. Should be used by authorized application to logout a user completely. Misc External Authentication Apache Configuration <LocationMatch ^/ovirt engine/sso/(interactive login negotiate oauth/token http auth)> RewriteEngine on RewriteCond %{LA U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ [L,P,E=REMOTE_USER:%1] RequestHeader set X Remote User %{REMOTE_USER}s AuthType Kerberos Auth "Kerberos Login" Krb5Keytab /etc/krb5.keytab KrbAuthRealms REALM KrbMethodK5Passwd off Require valid user ErrorDocument 401 "<html><meta http equiv=\"refresh\" content=\"0; url=/ovirt engine/sso/login unauthorized\"/><body><a href=\"/ovirt engine/sso/ login unauthorized\">here</a></body></html>" </LocationMatch> If ENGINE_RESTAPI_NEGO is enabled, add the following: <LocationMatch ^/ovirt engine/api> RewriteEngine on RewriteCond %{LA U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ [L,P,E=REMOTE_USER:%1]

RequestHeader set X Remote User %{REMOTE_USER}s AuthType Kerberos Auth "Kerberos Login" Krb5Keytab /etc/krb5.keytab KrbAuthRealms REALM KrbMethodK5Passwd off Require valid user </LocationMatch> Examples RestAPI access Acquire ticket HTTP Authentication (Basic) $ curl v k H "Accept: application/json" 'https://user:password@engine/ovirt engine/sso/oauth/token?grant_type=urn:ovirt:par ams:oauth:grant type:http&scope=ovirt app api' HTTP Authentication (SPNEGO) $ curl negotiate user : v k H "Accept: application/json" 'https://engine/ovirt engine/sso/oauth/token http auth?grant_type=urn:ovirt:params:oauth:g rant type:http&scope=ovirt app api' User/password Authentication $ curl v k H "Accept: application/json" 'https://engine/ovirt engine/sso/oauth/token?grant_type=password&username=user&pas sword=password&scope=ovirt app api' Reply {"access_token":"mwiwc8zjomloysbipedylihumm1iv9ltw2ossmfh85hj9nmy Gph_aalD 4FqjTMRQYSwjFuiqIWqDJwD 2dYVQ","scope":"ovirt app api ovirt ext=token info:validate","exp":2147483647,"token_type":"bearer"} Access $ curl v k H "Authorization: Bearer mwiwc8zjomloysbipedylihumm1iv9ltw2ossmfh85hj9nmy Gph_aalD4FqjTMRQYSwjF uiqiwqdjwd 2dYVQ" L https://engine/ovirt engine/api

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback